Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL autoconfig for SST doesn't work when mysqld auto-generated certificates are used. #395

Open
venkatesh-prasad-v opened this issue Nov 5, 2021 · 0 comments
Open

SSL autoconfig for SST doesn't work when mysqld auto-generated certificates are used. #395

venkatesh-prasad-v opened this issue Nov 5, 2021 · 0 comments

Comments

@venkatesh-prasad-v
Copy link

venkatesh-prasad-v commented Nov 5, 2021
edited
Loading

When the MySQL server generates its own SSL certificates, it uses the
below Common Names for its certificates (See do_auto_cert_generation()).

  ca-certificate: MySQL_Server_5.7.34_Auto_Generated_CA_Certificate
  server-cert: MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
  client-certificate: MySQL_Server_5.7.34_Auto_Generated_Client_Certificate

As per the recent SSL improvements in 5.7.34, the joiner generates and sends a
secret message consisting of a random string + Common Name of the SSL
certificate together within the address in State Transfer Request in order
to authenticate the donor on connection.

However, the logic of fetching the Common Name from the certificate
doesn't work well for the auto-generated SSL certificates, resulting
in the SST failure.

WSREP_SST: [INFO] Encrypting with CERT: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem, KEY: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem, CA: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem (20211105 09:06:02.030)
...
WSREP_SST: [INFO] Evaluating xbstream -c ${INFO_FILE} | socat -u stdio openssl-connect:127.0.0.1:5020,cert=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem,key=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem,cafile=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem,verify=1,commonname='CN '; RC=( ${PIPESTATUS[@]} ) (20211105 09:06:02.045)
2021/11/05 09:06:02 socat[18518] E certificate is valid but its commonName does not match hostname
WSREP_SST: [ERROR] Error while sending data to joiner node:  exit codes: 0 1 (20211105 09:06:02.053)

This is because of the fact that the logic used in https://github.com/codership/mysql-wsrep/blob/wsrep_5.7.34-25.26/scripts/wsrep_sst_xtrabackup-v2.sh#L1099-L1101 doesn't work with auto-generated certificates.

$ openssl x509 -noout -subject -in <path/to/>server-cert.pem | tr "," "\n" | grep "CN =" | cut -d= -f2 
 CN

Here it used "CN " as the common name for the SST.

Steps to reproduce:

  1. Initialize the server with --ssl option to auto-generate the SSL certificates.
  2. Use the same auto-generated ssl-ca, ssl-cert and ssl-key certificates during the SST by specifying the options in the [sst] section of the joiner cnf file.
  3. Start the cluster.

Suggestion:
The proper command should be

$ openssl x509 -noout -subject -nameopt multiline -in <path/to/>server-cert.pem | grep commonName | cut -d= -f2- 
 MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@venkatesh-prasad-v