Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24265

One-way TLS for replication doesn't work using Let's Encrypt certs

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.4.13
    • 10.4
    • Replication, SSL
    • None
    • Ubuntu Bionic (18.04)

    Description

      I'm running a set of MariaDB 10.4.13 instances on Ubuntu 18, in a source / replica replication setup. I'm attempting to get the replication connection to use TLS/SSL using a Let's Encrypt certificate setup (so, one-way).

      If I use the CLI client on the replica machine to connect to the source, it connects normally:

      mysql -u replicate -h hostname.example.org -p --ssl --ssl-verify-server-cert

      If I use the IP address instead, it fails complaining the certificate doesn't match the hostname - as is expected. Connecting to the source using SSL in Sequel Ace also works fine.

      So far so good.

      However, when I in the replica MariaDB console do:

      STOP SLAVE;
      		 
      CHANGE MASTER TO MASTER_SSL = 1, MASTER_SSL_VERIFY_SERVER_CERT=1;
      		 
      START SLAVE;

      then the replication is broken, and 

      SHOW SLAVE STATUS \G

      gives me

                      Last_IO_Errno: 2026
      		 
                       Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60  maximum-retries: 86400  message: SSL connection error: Failed to verify the server certificate

      I've understood 2026 is an error code for any OpenSSL error? I assumed it doesn't know how to use the Ubuntu certificate store, so I added MASTER_SSL_CA='/etc/ssl/certs/ca-certificates.crt', which then gives:

                       Last_IO_Errno: 2026
      		 
                       Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60  maximum-retries: 86400  message: SSL connection error: error:00000000:lib(0):func(0):reason(0)

      However, error:00000000:lib(0):func(0):reason(0) doesn't really sound like an error, rather more like success or like something is missing? One thing I did notice was that it (automatically) set Master_Ssl_Crl to the same file as the ca cert file.

      I've attempted to unset the crl, and even to set it to /dev/null, but no avail. Also I tried to set the ca cert to the specific root of Let's Encrypt, and the cipher to TLS_AES_256_GCM_SHA384 (which is what one Sequel Ace uses if I try it there), but no difference.

      Without SSL the replication is working normally.

      Attachments

        Activity

          People

            bnestere Brandon Nesterenko
            vlasbaard Martijn Meijer
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.