Cluster nodes won't join if SSL is ON

49 views
Skip to first unread message

Carlos F.

unread,
Oct 29, 2017, 9:44:38 AM10/29/17
to codership

I have a 3 nodes cluster configured and running properly.

I've tried to configure SSL on all nods as this:

wsrep_provider_options="socket.ssl_key=/etc/mysql/certs/server-key.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_ca=/etc/mysql/certs/ca-cert.pem"
wsrep_sst_method = xtrabackup-v2

[sst]
encrypt = 3
tca = /etc/mysql/certs/ca-cert.pem
tkey = /etc/mysql/certs/server-key.pem
tcert = /etc/mysql/certs/server-cert.pem



Then stop all nodes and start a new cluster with
galera_new_cluster

script

First node bootsrap, but other nodes won't join with:

[Warning] WSREP: last inactive check more than PT1.5S ago (PT3.50334S), skipping check
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] WSREP: failed to open gcomm backend connection: 110: failed to reach primary
galera.cluster mysqld[5925]: at gcomm/src/pc.cpp:connect():158
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] WSREP: gcs/src/gcs_core.cpp:gcs_core_open():208: Failed to open backend connection
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] WSREP: gcs/src/gcs.cpp:gcs_open():1404: Failed to open channel 'galera_cluster'
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] WSREP: gcs connect failed: Connection timed out
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] WSREP: wsrep::connect(gcomm://10.99.0.10) failed: 7
galera.cluster mysqld[5925]: 2017-10-29 13:37:51 140115588344000 [ERROR] Aborting
galera.cluster systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
galera.cluster systemd[1]: Failed to start MariaDB database server.



If i disable SSL provider options, everything goes fine.

Any hints?
Thanks.



Chandra Kapate

unread,
Oct 29, 2017, 10:02:39 PM10/29/17
to codership

Try adding the certificate cipher setting to the options list. 
eg : wsrep_provider_options=".....;socket.ssl_cipher=AES128-SHA"
and restart the cluster.

Best Regards,
Chandra

Lammert Bies

unread,
Oct 30, 2017, 5:55:29 AM10/30/17
to codership
Depending on your overall configuration, it may be necessary to also switch on SSL for the general MySQL communication by adding:

[mysqld]
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
ssl-cert=/etc/mysql/certs/server-cert.pem

Carlos F.

unread,
Oct 30, 2017, 2:15:42 PM10/30/17
to codership
Cipher option has solved my problem, thanks!
Reply all
Reply to author
Forward
0 new messages