[#MDEV-31638] Galera cluster handshakes failed when applying new SSL certificate

[MDEV-31638] Galera cluster handshakes failed when applying new SSL certificate Created: 2023-07-06 Updated: 2023-07-24
Status:	Open
Project:	MariaDB Server
Component/s:	Galera
Affects Version/s:	10.5.10, 10.4.26
Fix Version/s:	None

Type:

Bug

Priority:

Major

Reporter:

Trung-Nhan Truong

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Environment:

Docker image mariadb:10.4.26, mariadb:10.5.10

Description

After putting the new SSL certificate in the configured path, I tried to reload the SSL certificate of the MariaDB process using FLUSH SSL; with root user.

According to MDEV-25470, the command also triggers `socket.ssl_reload`. But I still receive the errors below when restarting the mariadb process:

WSREP: Handshake failed: tlsv1 alert unknown ca

WSREP: Handshake failed: tlsv1 alert unknown ca

WSREP: Handshake failed: tlsv1 alert unknown ca

WSREP: Handshake failed: tlsv1 alert unknown ca

WSREP: /home/buildbot/buildbot/build/gcs/src/gcs_core.cpp:gcs_core_open():221: Failed to open backend connection: -110 (Connection timed out)

WSREP: gcs connect failed: Connection timed out

I also tried to set `socket.ssl_reload` dynamically with `SET GLOBAL wsrep_provider_options='socket.ssl_reload=1';`. But I cannot find that option after setting with `SHOW GLOBAL VARIABLES LIKE 'wsrep_provider_options';`. And the errors still happened when I restarted the mariadb process.

Comments

Comment by Trung-Nhan Truong [ 2023-07-24 ]

I found out that I must use the ssl_capath option to be able to reload the certificate. I used the ssl_ca option only before.

Generated at Thu Feb 08 10:25:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-31638] Galera cluster handshakes failed when applying new SSL certificate Created: 2023-07-06 Updated: 2023-07-24