Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35812

Galera SST fails with TLS certificate containing an intermediate CA

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.4.4
    • None
    • Galera
    • None
    • MariaDB Community container running in Kubernetes v1.31

    Description

      Hey there! I am providing the following certificate to a MariaDB Community 11.4.4. It consists of 2 PEM blocks, in this order:

      • Leaf certificate
      • Intermediate CA certificate

      The certificates have been issued by cert-manager which using the go x509 library to issue certificates.

      It seems like Galera is not able to parse multiple PEM blocks, returning the following error when setting up the donor:

      mariadb 2025-01-09 18:02:20 0 [Note] WSREP: Failed to establish connection: unexpected eof while reading (SSL routines)
      

      The donor node comes up anyway and when the SST is requested by a joiner, a crash happens. (see attached logs)

      Including an intermediate CA as part of the certificate is valid and accepted by MariaDB. Standalone and replication topologies work normally with MariaDB 11.4.4. I have tested previous versions (11.4.3), but they also result in SSL errors (but not parsing errors) when this certificate structure is provided. It is also a very common PKI practice nowadays, as it allows to build trust in complex scenarios where multiple intermediate CAs are involved.

      I have found the following issues during my investigation, which might provide some context:

      I have attached the logs, configuration files and the PKI material.

      Attachments

        1. ca.crt
          0.5 kB
        2. client.crt
          1 kB
        3. client.key
          0.2 kB
        4. donor.log
          33 kB
        5. galera.cnf
          0.9 kB
        6. joiner.log
          17 kB
        7. mariabackup.backup.log
          0.3 kB
        8. server.crt
          2 kB
        9. server.key
          0.2 kB
        10. tls.cnf
          0.1 kB

        Activity

          People

            Unassigned Unassigned
            martin.montes Martin Montes
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.