[From nobody Mon Apr 13 17:21:07 2026 Received: (at submit) by bugs.debian.org; 26 Mar 2026 08:37:47 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-18.1 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, DKIM_VALID_EF,FOURLA,HAS_PACKAGE,PDS_PRO_TLD, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS,T_SPF_HELO_PERMERROR, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 56; hammy, 150; neutral, 179; spammy, 0. spammytokens: hammytokens:0.000-+--forky, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug, 0.000-+--H*Ad:N*Tracking, 0.000-+--HTo:N*System Return-path: <dorian@z-elec.pro> Received: from vpntls.eu ([87.106.58.222]:43102 helo=mail.vpntls.eu) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA512__AES_256_GCM:256) (Exim 4.96) (envelope-from <dorian@z-elec.pro>) id 1w5gDq-0041mZ-2d for submit@bugs.debian.org; Thu, 26 Mar 2026 08:37:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; s=202508r; d=z-elec.pro; c=relaxed/relaxed; h=Date:Message-ID:Subject:To:From; t=1774513836; bh=9eUQDrNwlgCHrbz8/xx9RHL m83TMiykz9MPkEBKtpZw=; b=Cu7U2DRjgTtxpbiUTqnUSLBeSo69CudpwhJZKaw4ZQyKd+4u2I YU4BaGMnkL66YEVv59Fh1KL2/mn1Cn2TEGOOz70RWkO5jyM5aHUIMKcTU8A39dYwDN4v/sTtakT hHeYW0B54sKFbLf8TQ5qIvMd0u1J7kzu/jA2jYA3oZ7gjKS0ACvJ+CrVA3fgx7OVeBTUGYA1oyT PCH0vEVPa88/f5hmAsyU0PujygEJRnwfACmHog+xXS2JuDIvDXqHIZ7O6bRxlzHaNPjSf6SEqTS XxhTRHf7Y3Up4UD+V1GteMm/yYM8dA6lLqcd8omj9q3uL/EwPqlQ70gljaoKuxoKXvw==; DKIM-Signature: v=1; a=ed25519-sha256; s=202508e; d=z-elec.pro; c=relaxed/relaxed; h=Date:Message-ID:Subject:To:From; t=1774513836; bh=9eUQDrNwlgCHrbz8/xx9RHL m83TMiykz9MPkEBKtpZw=; b=yvOWFfOaoPI88TQHvdqKO4tAdhq5KELWfmzOPS3gBohrwRHLro cj2XCJZ7+KTeEDkS2B/bWFTM6t9t1qVlBZCg==; X-Virus-Scanned: clamav-milter 1.4.3 at z-elec.pro X-Virus-Status: Clean Received: from guilhem by z-elec.pro with local (Exim 4.99.1) (envelope-from <dorian@z-elec.pro>) id 1w5g6s-000000014rt-3veQ; Thu, 26 Mar 2026 09:30:34 +0100 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Dorian <dorian@z-elec.pro> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: mariadb-server: Apparmor blocks access to SSL key Message-ID: <177451383492.256936.12075871470708914538.reportbug@localhost> X-Mailer: reportbug 13.2.0 Date: Thu, 26 Mar 2026 09:30:34 +0100 X-Greylist: delayed 425 seconds by postgrey-1.37 at buxtehude; Thu, 26 Mar 2026 08:37:46 UTC Delivered-To: submit@bugs.debian.org Package: mariadb-server Version: 1:11.8.6-4 Severity: normal Tags: patch Dear Maintainer, By default, Apparmor configuration of mariadb blocks access to SSL keys such as Let's encrypt one. audit: type=1400 audit(1774503700.183:177): apparmor="DENIED" operation="open" class="file" profile="mariadbd" name="/etc/letsencrypt/archive/xxxxx/privkey6.pem" pid=246482 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=104 ouid=0 And the mariadb systemd fails: SSL error: Unable to get private key from '/etc/letsencrypt/live/z-elec.pro/privkey.pem' 2026-03-26 7:10:37 0 [ERROR] Failed to setup SSL 2026-03-26 7:10:37 0 [ERROR] SSL error: Unable to get private key 2026-03-26 7:10:37 0 [ERROR] Aborting 260326 7:10:37 server_audit: STOPPED A patch like this on /etc/apparmor.d/local/mariadbd solves the issue: /etc/letsencrypt/live/xxxx/privkey.pem r, /etc/letsencrypt/archive/xxx/** r, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: forky/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.19.6+deb14+1-cloud-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mariadb-server depends on: ii debconf [debconf-2.0] 1.5.92 ii galera-4 26.4.25-2 ii gawk 1:5.3.2-1 ii iproute2 6.19.0-1 ii libc6 2.42-13 ii libdbi-perl 1.647-1+b1 ii libgcc-s1 16-20260308-1 ii libpam0g 1.7.0-5+b1 ii libssl3t64 3.6.1-3 ii libstdc++6 16-20260308-1 ii lsof 4.99.4+dfsg-2 ii mariadb-client 1:11.8.6-4 ii mariadb-common 1:11.8.6-4 ii mariadb-server-core 1:11.8.6-4 ii passwd 1:4.18.0-2 ii perl 5.40.1-7 ii procps 2:4.0.4-9+b1 ii psmisc 23.7-2 ii rsync 3.4.1+ds1-7 ii socat 1.8.1.1-1 ii systemd [systemd-sysusers] 260.1-1 ii zlib1g 1:1.3.dfsg+really1.3.1-3 Versions of packages mariadb-server recommends: ii libhtml-template-perl 2.97-2 ii mariadb-plugin-provider-bzip2 1:11.8.6-4 ii mariadb-plugin-provider-lz4 1:11.8.6-4 ii mariadb-plugin-provider-lzma 1:11.8.6-4 ii mariadb-plugin-provider-lzo 1:11.8.6-4 ii mariadb-plugin-provider-snappy 1:11.8.6-4 ii pv 1.10.4-1 Versions of packages mariadb-server suggests: ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1.1 pn mariadb-test <none> ii netcat-openbsd 1.234-2 -- Configuration Files: /etc/mysql/mariadb.conf.d/50-server.cnf changed [not included] -- debconf information excluded ]