Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
3.4
-
None
-
Ubuntu 22.04 / Rocky Linux 9
Description
MariaDB client fails with error when it tries to connect to the MariaDB server as a root user through the socket:
# mariadb --socket=/var/run/mysqld/mysqld.sock
|
ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
#
|
The only 2 ways to overcome this so far, is either include "DNS:localhost" to the certificate Subject or Subject Alternative Name list, or supply --skip-ssl-verify-server-cert to the client:
# mariadb --skip-ssl-verify-server-cert --socket=/var/run/mysqld/mysqld.sock
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 52
|
Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SHOW PROCESSLIST;
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| Id | User | Host | db | Command | Time | State | Info | Progress |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| 1 | system user | | NULL | Sleep | 367 | wsrep aborter idle | NULL | 0.000 |
|
| 2 | system user | | NULL | Sleep | 367 | | NULL | 0.000 |
|
| 8 | system user | | NULL | Sleep | 366 | wsrep applier idle | NULL | 0.000 |
|
| 52 | root | localhost | NULL | Query | 0 | starting | SHOW PROCESSLIST | 0.000 |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
4 rows in set (0.001 sec)
|
|
|
MariaDB [(none)]>
|
However, second part is slightly more tricky on Debian, since debian-start script still uses /etc/mysql/debian.cnf for a service startup.
So basically after installation mariadb service fails to startup due to the same issue caused by debian-start:
Jul 10 12:56:11 aio1-galera-container-6507f4ff systemd[1]: Started MariaDB 11.4.2 database server.
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3799]: Upgrading MySQL tables if necessary.
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:11 10 [Warning] Aborted connection 10 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: Reading datadir from the MariaDB server failed. Got the following error when executing the 'mysql' command line client
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: FATAL ERROR: Upgrade failed
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3808]: Checking for insecure root accounts.
|
Jul 10 12:56:12 aio1-galera-container-6507f4ff debian-start[3811]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
Jul 10 12:56:12 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:12 11 [Warning] Aborted connection 11 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
|
With that certificate is issued as following:
Certificate:
|
Data:
|
Version: 3 (0x2)
|
Serial Number:
|
38:3f:74:b2:e5:7d:40:55:17:c8:1c:75:89:c7:4e:5d:6d:4b:f3:56
|
Signature Algorithm: sha256WithRSAEncryption
|
Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
|
Validity
|
Not Before: Jul 10 12:48:25 2024 GMT
|
Not After : Jul 8 12:48:25 2034 GMT
|
Subject: CN = aio1-galera-container-6507f4ff
|
Subject Public Key Info:
|
Public Key Algorithm: rsaEncryption
|
Public-Key: (4096 bit)
|
Modulus:
|
...
|
Exponent: 65537 (0x10001)
|
X509v3 extensions:
|
X509v3 Subject Alternative Name:
|
DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, IP Address:172.29.236.102
|
X509v3 Subject Key Identifier:
|
D4:36:68:9B:62:A5:DE:DC:0B:8A:43:DC:E5:3B:E5:5B:E7:06:D4:4F
|
X509v3 Authority Key Identifier:
|
2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
|
Signature Algorithm: sha256WithRSAEncryption
|
Signature Value:
|
...
|
In case I add "DNS:localhost" to the SAN - client stops failing to connect:
/# openssl x509 -in /etc/ssl/certs/galera.pem -noout -text
|
Certificate:
|
Data:
|
Version: 3 (0x2)
|
Serial Number:
|
18:c7:e5:24:3b:ec:83:28:2d:19:8f:79:90:f7:a2:04:f1:d7:7f:1f
|
Signature Algorithm: sha256WithRSAEncryption
|
Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
|
Validity
|
Not Before: Jul 10 13:04:14 2024 GMT
|
Not After : Jul 8 13:04:14 2034 GMT
|
Subject: CN = aio1-galera-container-6507f4ff
|
Subject Public Key Info:
|
Public Key Algorithm: rsaEncryption
|
Public-Key: (4096 bit)
|
Modulus:
|
...
|
Exponent: 65537 (0x10001)
|
X509v3 extensions:
|
X509v3 Subject Alternative Name:
|
DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, DNS:localhost, IP Address:172.29.236.102
|
X509v3 Subject Key Identifier:
|
AB:04:32:1C:20:3E:96:6F:55:EA:C0:F6:D2:48:E8:DE:C3:66:5E:5E
|
X509v3 Authority Key Identifier:
|
2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
|
Signature Algorithm: sha256WithRSAEncryption
|
Signature Value:
|
...
|
# root@aio1-galera-container-6507f4ff:/# mariadb --socket=/var/run/mysqld/mysqld.sock
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 45
|
Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SHOW VARIABLES LIKE 'have_ssl';
|
+---------------+-------+
|
| Variable_name | Value |
|
+---------------+-------+
|
| have_ssl | YES |
|
+---------------+-------+
|
1 row in set (0.001 sec)
|
|
|
MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher';
|
+---------------+------------------------+
|
| Variable_name | Value |
|
+---------------+------------------------+
|
| Ssl_cipher | TLS_AES_256_GCM_SHA384 |
|
+---------------+------------------------+
|
1 row in set (0.001 sec)
|
|
|
MariaDB [(none)]> SHOW PROCESSLIST;
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| Id | User | Host | db | Command | Time | State | Info | Progress |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| 1 | system user | | NULL | Sleep | 167 | | NULL | 0.000 |
|
| 2 | system user | | NULL | Sleep | 167 | wsrep aborter idle | NULL | 0.000 |
|
| 7 | system user | | NULL | Sleep | 166 | wsrep applier idle | NULL | 0.000 |
|
| 45 | root | localhost | NULL | Query | 0 | starting | SHOW PROCESSLIST | 0.000 |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
4 rows in set (0.000 sec)
|
|
|
MariaDB [(none)]>
|
Please, let me know if you're interested in some configuration options.
Attachments
Issue Links
- includes
-
-
- Closed
-
- relates to
-
-
- Closed
-
- links to
Activity
Well, our RootCA is indeed installed in a system-wide store. But even if we are to provide valid TLS certificates, not self-signed one, there's kind of almost no way to get them working today, without issuing them for "DNS:localhost".
And if you're to use any ACME - I don't think it would be even possible to do anything like that.
So in "real world" it's less likely to get "self-signed" error (unless end-user don't care about certificates at all), but very likely to get a hostname missmatch, as issuing certificate for "localhost" is extremely confusing.
that's why the bug is confirmed and assigned, and we hope to get it fixed in the next release
Ah, ok, thanks a lot for taking time on this one. Having it targeted for the next release is especially nice!
Hey,
Sorry, can I ask for any progress on this issue? As we hoped to be able to perform upgrades to 11.4, though this is kind of a blocker at the moment.
So was wondering if it's anywhere in a roadmap or not yet?
Yes, definitely. I've bumped the related MDEV-34730 to Blocker so now it blocks the release, and we won't release until it's fixed
I see, your certificates are installed in a system-wide trusted cert store. unix socket connections ignore the "self-signed certificate" error, but not other errors.
But I suppose it makes sense to ignore host mistmatch error as well, if the connection uses unix socket (or other secure transport, as defined in the source code, e.g. named pipes).