[#MDEV-25435] Galera cluster will not bootstrap with SST set to use TLS

[MDEV-25435] Galera cluster will not bootstrap with SST set to use TLS Created: 2021-04-17 Updated: 2021-05-08
Status:	Open
Project:	MariaDB Server
Component/s:	Galera SST
Fix Version/s:	None

Type:

Task

Priority:

Major

Reporter:

none now

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Description

Hi guys.
I have a Galera basic 3-node cluster set up with TLS and if I use:

[sst]
tkey = /etc/my.cnf.d/certs/sst/sst.key
tcert = /etc/my.cnf.d/certs/sst/sst.crt

cluster will not bootstrap.
If I skip tkey & tcert cluster will start just fine and then I can on each node, one by one, put those options back in and restart the node and each node will restart, which will result in the cluster, allegedly, having SST with TLS.

I do not suppose this is desired nor expected behaviour thus I'm filing this bug report.

This reproduces easily and every time.
I'm on CentOS Stream with:
-> $ rpm -qa mariad* | sort
mariadb-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-backup-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-common-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-connector-c-3.1.11-2.el8_3.x86_64
mariadb-connector-c-config-3.1.11-2.el8_3.noarch
mariadb-errmsg-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-server-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-server-galera-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
mariadb-server-utils-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64

Comments

Comment by PB [ 2021-05-08 ]

Howdy,
Have you tried adding encrypt= per https://mariadb.com/kb/en/mariabackup-sst-method/#tls ? A default option doesn't appear to be listed in the docs (I might have missed it) so I'm wondering if you not having it specified in your config is causing your issue.

encrypt=1 : Note that encrypt=1 refers to a TLS encryption method that has been deprecated and removed.
encrypt=2 : TLS using OpenSSL encryption built into socat (encrypt=2)
encrypt=3 : TLS using OpenSSL encryption with Galera-compatible certificates and keys (encrypt=3)
encrypt=4 : refers to a TLS encryption method in xtrabackup-v2 that has not yet been ported to mariabackup. See ~~MDEV-18050~~ about that.

[sst]

encrypt = ?

Generated at Thu Feb 08 09:37:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-25435] Galera cluster will not bootstrap with SST set to use TLS Created: 2021-04-17 Updated: 2021-05-08