MariaDB Galera SSL

Discussion in 'Server Operation' started by remkoh, Oct 18, 2023.

  1. remkoh

    remkoh Active Member

    I have 2 MariaDB servers (v10.11.5) as a Galera cluster and third Garb node as arbitrator to prevent split brain situations.
    All servers have a LE certificate.
    I was trying to setup SSL in MariaDB but ran into weird errors.

    Added this in /etc/mysql/mariadb.conf.d/50-server.cnf on the first node:
    ssl-ca = /var/lib/mysql/ssl/ca.crt
    ssl-cert = /var/lib/mysql/ssl/db01.crt
    ssl-key = /var/lib/mysql/ssl/db01.key
    tls_version = TLSv1.2,TLSv1.3
    MariaDB started just fine on this node.

    Added this in /etc/mysql/mariadb.conf.d/50-server.cnf on the second node:
    ssl-ca = /var/lib/mysql/ssl/ca.crt
    ssl-cert = /var/lib/mysql/ssl/db02.crt
    ssl-key = /var/lib/mysql/ssl/db02.key
    tls_version = TLSv1.2,TLSv1.3
    MariaDB wouldn't start.

    This is what is logged:
    2023-10-17 16:36:35 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address '<node ip>' --datadir '/var/lib/mysql/' --parent 917028 --progress 0 --mysqld-args --wsrep_start_position=57b157ea-61dc-11ee-8d0c-eb07357b58fa:985345'
    WSREP_SST: [INFO] rsync SST started on joiner (20231017 16:36:35.070)
    WSREP_SST: [INFO] run: "/usr//bin/openssl" verify -verbose -CAfile "/var/lib/mysql/ssl/ca.crt" "/var/lib/mysql/ssl/db02.crt" (20231017 16:36:35.226)
    WSREP_SST: [INFO] output: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    error 2 at 2 depth lookup: unable to get issuer certificate
    error /var/lib/mysql/ssl/db02.crt: verification failed (20231017 16:36:35.230)
    WSREP_SST: [ERROR] ******** FATAL ERROR ******************************************** (20231017 16:36:35.233)
    WSREP_SST: [ERROR] * The certifcate and CA (certificate authority) do not match.   * (20231017 16:36:35.236)
    WSREP_SST: [ERROR] * It does not appear that the certificate was issued by the CA. * (20231017 16:36:35.239)
    WSREP_SST: [ERROR] * Please check your certificate and CA files.                   * (20231017 16:36:35.242)
    WSREP_SST: [ERROR] ***************************************************************** (20231017 16:36:35.245)
    The same certificate is used by other services without any issues.
    The files used by MariaDB are straightup copies with altered ownership and permissions for MariaDB.
    Just like on the first node which seems to run fine.

    When I delete or comment CA then MariaDB does start.
    #ssl-ca = /var/lib/mysql/ssl/ca.crt
    But testing from the command line then gives a CA error.

    For now I disabled all SSL settings in MariaDB and Garb.

    Does anyone have any clue on why the CA error is happening on starting MariaDB and furthermore how to setup SSL properly using LE certificates?

Share This Page