Based on a discussion with sysprg, the SST script changes from MDEV-26360 allow users to configure a CA directory by setting ssl_ca, like this:
[mariadb]
|
...
|
wsrep_ssl_mode = SERVER_X509
|
|
ssl_ca = /certs/ca-cert/
|
ssl_cert = /certs/server-cert.pem
|
ssl_key = /certs/server-key.pem
|
This implementation is likely to result in problems. ssl_ca is a system variable owned by MariaDB Server. MariaDB Server expects the ssl_ca system variable to refer to an absolute path to a single PEM file:
ssl_ca
Description: Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This system variable requires that you use the absolute path, not a relative path. This system variable implies the ssl option.
https://mariadb.com/kb/en/ssltls-system-variables/#ssl_ca
If a Galera user tries to set the ssl_ca system variable to a path to a directory, MariaDB Server is likely to encounter an error during startup when it tries to treat the value as a path to a PEM file.
However, there is an easy solution. MariaDB Server provides the ssl_capath system variable to refer to a directory:
ssl_capath
Description: Defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA) to use for TLS. This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the openssl rehash command. This system variable implies the ssl option.
https://mariadb.com/kb/en/ssltls-system-variables/#ssl_capath
If we would like Galera users to be able to specify a path to a directory of CA certificates, we should probably use ssl_capath for this--not ssl_ca.
Bug
Critical
