Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
3.4
-
None
-
Ubuntu 22.04 / Rocky Linux 9
Description
MariaDB client fails with error when it tries to connect to the MariaDB server as a root user through the socket:
# mariadb --socket=/var/run/mysqld/mysqld.sock
|
ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
#
|
The only 2 ways to overcome this so far, is either include "DNS:localhost" to the certificate Subject or Subject Alternative Name list, or supply --skip-ssl-verify-server-cert to the client:
# mariadb --skip-ssl-verify-server-cert --socket=/var/run/mysqld/mysqld.sock
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 52
|
Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SHOW PROCESSLIST;
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| Id | User | Host | db | Command | Time | State | Info | Progress |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| 1 | system user | | NULL | Sleep | 367 | wsrep aborter idle | NULL | 0.000 |
|
| 2 | system user | | NULL | Sleep | 367 | | NULL | 0.000 |
|
| 8 | system user | | NULL | Sleep | 366 | wsrep applier idle | NULL | 0.000 |
|
| 52 | root | localhost | NULL | Query | 0 | starting | SHOW PROCESSLIST | 0.000 |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
4 rows in set (0.001 sec)
|
|
|
MariaDB [(none)]>
|
However, second part is slightly more tricky on Debian, since debian-start script still uses /etc/mysql/debian.cnf for a service startup.
So basically after installation mariadb service fails to startup due to the same issue caused by debian-start:
Jul 10 12:56:11 aio1-galera-container-6507f4ff systemd[1]: Started MariaDB 11.4.2 database server.
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3799]: Upgrading MySQL tables if necessary.
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:11 10 [Warning] Aborted connection 10 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: Reading datadir from the MariaDB server failed. Got the following error when executing the 'mysql' command line client
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: FATAL ERROR: Upgrade failed
|
Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3808]: Checking for insecure root accounts.
|
Jul 10 12:56:12 aio1-galera-container-6507f4ff debian-start[3811]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
|
Jul 10 12:56:12 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:12 11 [Warning] Aborted connection 11 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
|
With that certificate is issued as following:
Certificate:
|
Data:
|
Version: 3 (0x2)
|
Serial Number:
|
38:3f:74:b2:e5:7d:40:55:17:c8:1c:75:89:c7:4e:5d:6d:4b:f3:56
|
Signature Algorithm: sha256WithRSAEncryption
|
Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
|
Validity
|
Not Before: Jul 10 12:48:25 2024 GMT
|
Not After : Jul 8 12:48:25 2034 GMT
|
Subject: CN = aio1-galera-container-6507f4ff
|
Subject Public Key Info:
|
Public Key Algorithm: rsaEncryption
|
Public-Key: (4096 bit)
|
Modulus:
|
...
|
Exponent: 65537 (0x10001)
|
X509v3 extensions:
|
X509v3 Subject Alternative Name:
|
DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, IP Address:172.29.236.102
|
X509v3 Subject Key Identifier:
|
D4:36:68:9B:62:A5:DE:DC:0B:8A:43:DC:E5:3B:E5:5B:E7:06:D4:4F
|
X509v3 Authority Key Identifier:
|
2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
|
Signature Algorithm: sha256WithRSAEncryption
|
Signature Value:
|
...
|
In case I add "DNS:localhost" to the SAN - client stops failing to connect:
/# openssl x509 -in /etc/ssl/certs/galera.pem -noout -text
|
Certificate:
|
Data:
|
Version: 3 (0x2)
|
Serial Number:
|
18:c7:e5:24:3b:ec:83:28:2d:19:8f:79:90:f7:a2:04:f1:d7:7f:1f
|
Signature Algorithm: sha256WithRSAEncryption
|
Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
|
Validity
|
Not Before: Jul 10 13:04:14 2024 GMT
|
Not After : Jul 8 13:04:14 2034 GMT
|
Subject: CN = aio1-galera-container-6507f4ff
|
Subject Public Key Info:
|
Public Key Algorithm: rsaEncryption
|
Public-Key: (4096 bit)
|
Modulus:
|
...
|
Exponent: 65537 (0x10001)
|
X509v3 extensions:
|
X509v3 Subject Alternative Name:
|
DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, DNS:localhost, IP Address:172.29.236.102
|
X509v3 Subject Key Identifier:
|
AB:04:32:1C:20:3E:96:6F:55:EA:C0:F6:D2:48:E8:DE:C3:66:5E:5E
|
X509v3 Authority Key Identifier:
|
2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
|
Signature Algorithm: sha256WithRSAEncryption
|
Signature Value:
|
...
|
# root@aio1-galera-container-6507f4ff:/# mariadb --socket=/var/run/mysqld/mysqld.sock
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 45
|
Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SHOW VARIABLES LIKE 'have_ssl';
|
+---------------+-------+
|
| Variable_name | Value |
|
+---------------+-------+
|
| have_ssl | YES |
|
+---------------+-------+
|
1 row in set (0.001 sec)
|
|
|
MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher';
|
+---------------+------------------------+
|
| Variable_name | Value |
|
+---------------+------------------------+
|
| Ssl_cipher | TLS_AES_256_GCM_SHA384 |
|
+---------------+------------------------+
|
1 row in set (0.001 sec)
|
|
|
MariaDB [(none)]> SHOW PROCESSLIST;
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| Id | User | Host | db | Command | Time | State | Info | Progress |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
| 1 | system user | | NULL | Sleep | 167 | | NULL | 0.000 |
|
| 2 | system user | | NULL | Sleep | 167 | wsrep aborter idle | NULL | 0.000 |
|
| 7 | system user | | NULL | Sleep | 166 | wsrep applier idle | NULL | 0.000 |
|
| 45 | root | localhost | NULL | Query | 0 | starting | SHOW PROCESSLIST | 0.000 |
|
+----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
|
4 rows in set (0.000 sec)
|
|
|
MariaDB [(none)]>
|
Please, let me know if you're interested in some configuration options.
Attachments
Issue Links
- relates to
-
-
- Closed
-
- links to