Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.4.13
-
None
-
Ubuntu Bionic (18.04)
Description
I'm running a set of MariaDB 10.4.13 instances on Ubuntu 18, in a source / replica replication setup. I'm attempting to get the replication connection to use TLS/SSL using a Let's Encrypt certificate setup (so, one-way).
If I use the CLI client on the replica machine to connect to the source, it connects normally:
mysql -u replicate -h hostname.example.org -p --ssl --ssl-verify-server-cert
|
If I use the IP address instead, it fails complaining the certificate doesn't match the hostname - as is expected. Connecting to the source using SSL in Sequel Ace also works fine.
So far so good.
However, when I in the replica MariaDB console do:
STOP SLAVE;
|
CHANGE MASTER TO MASTER_SSL = 1, MASTER_SSL_VERIFY_SERVER_CERT=1; |
START SLAVE;
|
then the replication is broken, and
SHOW SLAVE STATUS \G
|
gives me
Last_IO_Errno: 2026
|
Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60 maximum-retries: 86400 message: SSL connection error: Failed to verify the server certificate
|
I've understood 2026 is an error code for any OpenSSL error? I assumed it doesn't know how to use the Ubuntu certificate store, so I added MASTER_SSL_CA='/etc/ssl/certs/ca-certificates.crt', which then gives:
Last_IO_Errno: 2026
|
Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60 maximum-retries: 86400 message: SSL connection error: error:00000000:lib(0):func(0):reason(0)
|
However, error:00000000:lib(0):func(0):reason(0) doesn't really sound like an error, rather more like success or like something is missing? One thing I did notice was that it (automatically) set Master_Ssl_Crl to the same file as the ca cert file.
I've attempted to unset the crl, and even to set it to /dev/null, but no avail. Also I tried to set the ca cert to the specific root of Let's Encrypt, and the cipher to TLS_AES_256_GCM_SHA384 (which is what one Sequel Ace uses if I try it there), but no difference.
Without SSL the replication is working normally.