MaxScale just uses the PEM format and self-signed certificates work.

Hi markus makela did you verify this? I appreciate you saying that in principle it should work, but questions are being raised as to whether it actually does. With that in mind, only a positive verification "yes we've tested this and it works" should qualify as a reason to close the issue?
thanks

So for some reason self signed certificates are not working for me. Here's my startup log for MaxScale:
https://pastebin.com/raw/3Adt8cXf

I'm aware of the issue noted at:
https://mariadb.com/kb/en/library/mariadb-ssl-connection-issues/

And have created all my certs with different CN's, etc. Also I should note that these exact same certs are working just fine with my 4 node 1 arbitrator cluster:
https://pastebin.com/raw/LFUBwgUe

Oh also here's the cert test:
https://pastebin.com/raw/SDsigLyz

Certs were generated following:
http://galeracluster.com/documentation-webpages/sslcert.html

MaxScale config:
https://pastebin.com/raw/QHLJBZ0T

Also openssl version if that matters:
[root@minecraft galera]# openssl
OpenSSL> version
OpenSSL 1.0.2k-fips 26 Jan 2017

And OS:
[root@minecraft galera]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

More SSL info:
https://pastebin.com/raw/4PQP129y

MariaDB version:
MariaDB-common-10.2.9-1.el7.centos.x86_64
MariaDB-client-10.2.9-1.el7.centos.x86_64
MariaDB-server-10.2.9-1.el7.centos.x86_64
MariaDB-compat-10.2.9-1.el7.centos.x86_64
MariaDB-devel-10.2.9-1.el7.centos.x86_64

MaxScale:
maxscale-2.1.10-1.x86_64

All versions same across cluster.

One thing I noticed was the version_ssl_library was an older version of openssl than what I had installed on my OS, but that's probably a separate issue:

version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013

Any chance this can get another look?

This seems to be a bug, and possibly a regression as per Markus' statement that it should work - if something worked before but now doesn't, that's a regression bug, not a feature request.

Re-opening as per request by community member on #maria IRC channel, who provided additional test data indicating that indeed the feature does not currently work.
Please review.
thanks!

These errors are actually from the Connector-C library.

2017-11-05 23:20:35   error  : [MySQLAuth] Failure loading users data from backend [165.227.80.129:3306] for service [Read-Only Service]. MySQL error 2026, SSL connection error: self signed certificate in certificate chain

This would suggest that the problem is somewhere how the connector is used with self-signed certificates. I'll continue investigating.

Might be related to MXS-1462.

Tested with certs generated by the following script (test results):

#!/bin/sh

# Creates CA key and certificate

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/CN=certificate-authority/"

# The server key and certificate

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -subj "/CN=server/"

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# The client key and certificate

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem -subj "/CN=client/"

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

No immediate problems found on CentOS 7.

Repeated the procedure with 2.1 and certificates generated with the MariaDB test suite script. No errors detected and connection creation was successful.

BananaHand arjen Please try to repeat this with the short script posted above or the MariaDB test suite script.

Markus, I've attached the certs / keys (don't worry it's for my minecraft server so no issue if key is public) that prompted me to open this bug report at: galera_certs.tgz

I haven't had a chance to test the cert gen script you provided yet but will hopefully have some free time tonight. In the meantime you might be able to pick out the issue from the certs I uploaded. One thing I'm noticing from a quick glance is I set all the extra location info, etc where your cert's just a CN with no extra info. Perhaps I misread the instructions on http://galeracluster.com/documentation-webpages/sslcert.html, when I ran those cert gen commands it was asking for more info besides the CN. Maybe that doc page should be updated with the commands you provided above that specify "-subj ..."?

Those certificates appear to be working correctly when used by the client, MaxScale and the backend server. Both a connection through MaxScale and a direct connection will use the same TLS version and cipher.

MariaDB [(none)]> show status like 'ssl_version';

+---------------+---------+

| Variable_name | Value   |

+---------------+---------+

| Ssl_version   | TLSv1.2 |

+---------------+---------+

1 row in set (0.00 sec)

MariaDB [(none)]> show status like 'ssl_cipher';

+---------------+-----------------------------+

| Variable_name | Value                       |

+---------------+-----------------------------+

| Ssl_cipher    | ECDHE-RSA-AES256-GCM-SHA384 |

+---------------+-----------------------------+

1 row in set (0.00 sec)

BananaHand Please try to generate the certs using the example scripts and report back with the results.

Cannot reproduce this even with the provided certificates.