Hi guys.
I'm trying to add encryption to my already working galera
cluster and I've look at number of tutorials, official ones
included.
I've added these to configs:
[mariadb]
ssl_cert = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt
ssl_key = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.key
ssl_ca = /etc/my.cnf.d/certs/ca.crt
[mysqld]
wsrep_provider_options="socket.ssl=yes;socket.ssl_cert=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt;socket.ssl_key=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.key;socket.ssl_ca=/etc/my.cnf.d/certs/ca.crt"
First server, above configs, starts okey with
'galera_new_cluster' but the second, I'm on Centos 8, when
started as normal with systemd shows:
...
2021-03-29 17:33:34 0 [ERROR] WSREP:
gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake
with remote endpoint ssl://10.1.1.223:4567 failed:
asio.ssl:337047686: 'certificate verify failed' ( 337047686:
'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed')
2021-03-29 17:33:36 0 [ERROR] WSREP:
gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake
with remote endpoint ssl://10.1.1.223:4567 failed:
asio.ssl:337047686: 'certificate verify failed' ( 337047686:
'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed')
...
and eventually after a moment fails.
The second server has the same bits in configs only,
naturally, files names are different respectively.
I also see this, in case might tell more or be relevant,
this is on 'galera_new_cluster' up & running:
-> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress
-p --ssl-verify-server-cert=true
Enter password:
ERROR 2026 (HY000): SSL connection error: self signed
certificate in certificate chain
-> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress
-p --ssl-verify-server-cert=false
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
But if this is 'CN' problem then looking at the mysql server
cert:
-> $ _my._sslPrintCert.sh c8kubernode2.private.pawel.crt
issuer=CN = "nodemaster.private.pawel," # <= here, it
matches server's hostname as expected.
subject=CN = c8kubernode2.private.pawel
notAfter=Jul 2 20:50:57 2023 GMT
Certificate:
...
Also, in case it might matter, I do not have as you can see
[sst] bits done yet.
Any ideas someone cares to share I'll appreciate.
many thanks, L.
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
