maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #06013
Galera with TLS not happy.
Hi guys.
I'm trying to add encryption to my already working galera
cluster and I've look at number of tutorials, official ones
included.
I've added these to configs:
[mariadb]
ssl_cert = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt
ssl_key = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.key
ssl_ca = /etc/my.cnf.d/certs/ca.crt
[mysqld]
wsrep_provider_options="socket.ssl=yes;socket.ssl_cert=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt;socket.ssl_key=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.key;socket.ssl_ca=/etc/my.cnf.d/certs/ca.crt"
First server, above configs, starts okey with
'galera_new_cluster' but the second, I'm on Centos 8, when
started as normal with systemd shows:
...
2021-03-29 17:33:34 0 [ERROR] WSREP:
gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake
with remote endpoint ssl://10.1.1.223:4567 failed:
asio.ssl:337047686: 'certificate verify failed' ( 337047686:
'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed')
2021-03-29 17:33:36 0 [ERROR] WSREP:
gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake
with remote endpoint ssl://10.1.1.223:4567 failed:
asio.ssl:337047686: 'certificate verify failed' ( 337047686:
'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed')
...
and eventually after a moment fails.
The second server has the same bits in configs only,
naturally, files names are different respectively.
I also see this, in case might tell more or be relevant,
this is on 'galera_new_cluster' up & running:
-> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress
-p --ssl-verify-server-cert=true
Enter password:
ERROR 2026 (HY000): SSL connection error: self signed
certificate in certificate chain
-> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress
-p --ssl-verify-server-cert=false
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
But if this is 'CN' problem then looking at the mysql server
cert:
-> $ _my._sslPrintCert.sh c8kubernode2.private.pawel.crt
issuer=CN = "nodemaster.private.pawel," # <= here, it
matches server's hostname as expected.
subject=CN = c8kubernode2.private.pawel
notAfter=Jul 2 20:50:57 2023 GMT
Certificate:
...
Also, in case it might matter, I do not have as you can see
[sst] bits done yet.
Any ideas someone cares to share I'll appreciate.
many thanks, L.
