[#MDEV-24265] One-way TLS for replication doesn't work using Let's Encrypt certs

[MDEV-24265] One-way TLS for replication doesn't work using Let's Encrypt certs Created: 2020-11-23 Updated: 2022-02-22
Status:	Open
Project:	MariaDB Server
Component/s:	Replication, SSL
Affects Version/s:	10.4.13
Fix Version/s:	10.4

Type:

Bug

Priority:

Major

Reporter:

Martijn Meijer

Assignee:

Brandon Nesterenko

Resolution:

Unresolved

Votes:

Labels:

None

Environment:

Ubuntu Bionic (18.04)

Description

I'm running a set of MariaDB 10.4.13 instances on Ubuntu 18, in a source / replica replication setup. I'm attempting to get the replication connection to use TLS/SSL using a Let's Encrypt certificate setup (so, one-way).

If I use the CLI client on the replica machine to connect to the source, it connects normally:

mysql -u replicate -h hostname.example.org -p --ssl --ssl-verify-server-cert

If I use the IP address instead, it fails complaining the certificate doesn't match the hostname - as is expected. Connecting to the source using SSL in Sequel Ace also works fine.

So far so good.

However, when I in the replica MariaDB console do:

STOP SLAVE;

CHANGE MASTER TO MASTER_SSL = 1, MASTER_SSL_VERIFY_SERVER_CERT=1;

START SLAVE;

then the replication is broken, and

SHOW SLAVE STATUS \G

gives me

                Last_IO_Errno: 2026

                 Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60  maximum-retries: 86400  message: SSL connection error: Failed to verify the server certificate

I've understood 2026 is an error code for any OpenSSL error? I assumed it doesn't know how to use the Ubuntu certificate store, so I added MASTER_SSL_CA='/etc/ssl/certs/ca-certificates.crt', which then gives:

                 Last_IO_Errno: 2026

                 Last_IO_Error: error connecting to master 'replicate@hostname.example.org:3306' - retry-time: 60  maximum-retries: 86400  message: SSL connection error: error:00000000:lib(0):func(0):reason(0)

However, error:00000000:lib(0):func(0):reason(0) doesn't really sound like an error, rather more like success or like something is missing? One thing I did notice was that it (automatically) set Master_Ssl_Crl to the same file as the ca cert file.

I've attempted to unset the crl, and even to set it to /dev/null, but no avail. Also I tried to set the ca cert to the specific root of Let's Encrypt, and the cipher to TLS_AES_256_GCM_SHA384 (which is what one Sequel Ace uses if I try it there), but no difference.

Without SSL the replication is working normally.

Comments

Comment by Krasimir Ganchev [ 2021-02-09 ]

I am experiencing the same issue with both master and slave servers running on version 10.5.8 in a Debian bullseye env.

Comment by Petr Šťastný [ 2021-12-06 ]

I had similar issue with the exact error message. The problem was with unsupported TLS version on the other side.

Try to downgrade MinProtocol in /etc/ssl/openssl.cnf and restart MySQL process.

Generated at Thu Feb 08 09:28:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-24265] One-way TLS for replication doesn't work using Let's Encrypt certs Created: 2020-11-23 Updated: 2022-02-22