Setup tls for db
Closed this issue · 10 comments
Certificate can't be read... :(
SSL error: Unable to get certificate from '/etc/pki/tls/certs/asldb01_tls.crt'
2019-10-26 16:12:45 0 [Warning] Failed to setup SSL
2019-10-26 16:12:45 0 [Warning] SSL error: Unable to get certificate
nvm: permission problem 🤦♂️
todo:
openssl rsa -in keyname.key -out /etc/mysql/keyname.key
https://bugs.mysql.com/bug.php?id=71271
I pushed a change to the cert-server branch that TLS certificates now are certificate chains including the intermediate certificate. With that, the tls certificates should actually be verifiable now.
- The private key has to be in PKCS#1
- The private key has to be in /etc/mysql (maybe because of apparmor? However there are no denied messages in
/var/log/syslog)
TODO:
Create ansible task that creates pkcs#1 format and moves privatekey to /etc/mysql/keys/
Galera might use the IP to build the connection between nodes (at least that's how they log it), however the certificates only authenticate the host name, this might cause an error... Documentation doesn't mention anything...
Note to myself: investigate
Potentially useful:
https://groups.google.com/forum/#!topic/codership-team/bVJX7c-Yfx4
https://www.linuxbabe.com/mariadb/encrypt-replication-traffic-mariadb-galera-cluster-ubuntu
Fyi: I wait till the cert-server branch (pull request #27) is merged into master. Then I will setup one dbserver without galera, but with the mariaDB version from the official repo (i.e. with openssl). That way we will have a working environment, and I will look into replication after having setup the backup server as this has higher priority. And it isn't like galera has eaten enough time already 😞
The branch has been merged.
TLS should work again.