Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revamp SSL documentation #252

Open
byte opened this issue Mar 3, 2021 · 4 comments
Open

Revamp SSL documentation #252

byte opened this issue Mar 3, 2021 · 4 comments
Assignees

Comments

@byte
Copy link
Contributor

byte commented Mar 3, 2021

Make sure we talk about SSL for MariaDB Server and MySQL 8. There are config differences. also Percona XtraDB Cluster (PXC) 8 has SSL on by default

Address the below report:
We stumbled upon some problems today when we wanted to move Galera
Replication from standard to SSL:

[ERROR] WSREP: handshake with remote endpoint ssl://10.96.0.13:4567 failed: asio.ssl:337047686: 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed')

and also:

Looking for 'mysql' as: /usr/bin/mysql Version check failed. Got the following error when calling the 'mysql' command line client ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

After we were reading through your documentation we found 2 topics which
would have saved us some time:

https://galeracluster.com/library/documentation/ssl-cert.html

  1. It was not clear to the customer, that a Galera node also needs the
    client key and certificate (he thought that this is only necessary for
    client-server communication). So I suggest to you to make a red frame
    around this sentence as well:

"Each node requires both to secure client activity and state snapshot
transfers."

Possibly listening all files which are needed would help as well???

  1. Further: Documentation statement:

"In the event that this verification fails, repeat the above process to
generate replacement certificates."

is not really helpful because if you do our mistake you will end up in
the same situation again and again. We found out, that above error
happens because of this:

https://stackoverflow.com/questions/19726138/openssl-error-18-at-0-depth-lookupself-signed-certificate

"Whatever method you use to generate the certificate and key files, the
Common Name value used for the server and client certificates/keys must
each differ from the Common Name value used for the CA certificate.
Otherwise, the certificate and key files will not work for servers
compiled using OpenSSL."

As soon as we used different CN (instead of Enter, Enter, Enter, ...) it
worked. So you could add a hint stating this?

@kirjaamo kirjaamo self-assigned this Mar 10, 2021
@kirjaamo
Copy link
Collaborator

Would these sove this issue:

  1. I make a note out of "Each node requires both to secure client activity and state snapshot transfers."
  2. I add a sentence after "In the event that this verification fails...", stating that "The Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL."

@byte
Copy link
Contributor Author

byte commented Mar 11, 2021

This would move things further, but I think this is more a placeholder for me, to also do blogs/tutorials on this

kirjaamo added a commit that referenced this issue Mar 11, 2021
@kirjaamo
Copy link
Collaborator

OK. I added those. There's a bracnh for you to continue.

@kirjaamo
Copy link
Collaborator

@byte Can we close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants