Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5.13, 10.6.5
-
None
-
Debian 11 / 5.10.0-11-amd64
Ubuntu 20.04 / 5.15.1
Description
for rsync method, configuration passed to stunnel is
verifyChain = yes
|
checkHost = CN
|
for mariabackup:
Jan 30 00:10:24 host01.domain.com -wsrep-sst-donor[26004]: Evaluating '/usr//bin/mbstream' -c 'xtrabackup_galera_info' | socat -u stdio openssl-connect:host02.domain.com:4444,cert='/etc/mysql/ssl/cert.pem',key='/etc/mysql/ssl/key.pem',cafile='/etc/mysql/ssl/ca.pem',commonname='CN '; RC=( ${PIPESTATUS[@]} ) |
After investigation I found that output returned by openssl -subject is
subject=CN = host01.domain.com
|
both for letsencrypt issued certificates and generated with easyrsa with EASYRSA_DN=cn_only (default),
but exctraction code in wsrep scripts assumes that there will be comma separated list
CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \ |
tr "," "\n" | grep -F 'CN =' | cut -d= -f2 | sed s/^\ // | \ |
sed s/\ %//) |
so after "tr" it's still `subject=CN = hostname`
The simplest workaround that comes to my mind is replace `tr|grep` part with `grep -Eo 'CN =[^,$]+'`
or, since scripts are written in bash anyway, why not use built in bash magic:
root@host01:~# if [[ `openssl x509 -in /etc/mysql/ssl/cert.pem -noout -subject` =~ CN\ ?=([^,$]+) ]] ; then echo "${BASH_REMATCH[1]}" ; fi |
host01.domain.com
|