Cluster Unable to configure SSL

Ho together, I’m quite new to Percona SQL clusters.

I’ve configured it using the latest documentation at https://docs.percona.com/percona-xtradb-cluster/8.0/configure.html

This is my environment:
3x Debian 11 servers with latest updates
Percona 8 from it’s PPA’s (as of the documentation)

Joining the newly created cluster fails, when trying to start mysql on node 1 manually it also fails.
mysqld --help --verbose | grep ‘log-error’ | tail -1 shows this error:

[ERROR] [MY-000000] [WSREP] ssl-ca, ssl-cert, and ssl-key must all be defined to use encrypted mode traffic. Unable to configure SSL. Must shutdown.
[ERROR] [MY-010119] [Server] Aborting

This is the nodes configuration:

[client]
socket=/sql/mysqld.sock

[mysqld]
server-id=1
datadir=/sql
socket=/sql/mysqld.sock
log-error=/sql/error.log
pid-file=/sql/mysqld.pid

ssl-ca=/sql/certs/ca.pem
ssl-cert=/sql/certs/server-cert.pem
ssl-key=/sql/certs/server-key.pem

binlog_expire_logs_seconds=604800

binlog_format=ROW
wsrep_provider_options=“socket.ssl_key=/sql/certs/server-key.pem;socket.ssl_cert=/sql/certs/server-cert.pem;socket.ssl_ca=/sql/certs/ca.pem”

wsrep_provider=/usr/lib/galera4/libgalera_smm.so
wsrep_cluster_address=gcomm://192.168.1.10,192.168.1.12,192.168.1.12
wsrep_slave_threads=8
wsrep_log_conflicts
wsrep_node_address=192.168.1.10
wsrep_cluster_name=pxc-cluster
wsrep_node_name=node-1
wsrep_sst_method=xtrabackup-v2

innodb_autoinc_lock_mode=2

pxc_strict_mode=ENFORCING

[sst]
encrypt=4
ssl-key=/sql/server-key.pem
ssl-ca=/sql/ca.pem
ssl-cert=/sql/server-cert.pem

Anything i’ve done wrong?
Thank you guys!

1 Like

Did you create these? These are not automatically created for you since you have specified a location. MySQL will only create them automatically if you do NOT specify their location.

I would do this: remove ALL ssl parameters from node1 my.cnf and then bootstrap node1. This will create the certificates/keys. Then shutdown node1. Copy the certs from /var/lib/mysql to your chosen location and put back the config parameters. Bootstrap mysql1 again. This should start and use the specified certs.
Then, copy those certs to node2, configure node2 and start it to join node1.

2 Likes

Hi,

I’ve removed all ssl spectific configs from the file.
After bootstarpping node1 again noting changed in the /var/lib/mysql, still the old certificates in place.

I’m not sure I understood what you said. If you now have SSL certificates in /var/lib/mysql after bootstrapping, stop MySQL, move those certs to /sql/certs/, add the parameters back to my.cnf and bootstrap again. Then copy those certs to node2, edit node2 config and start node2

What I’ve done now:
removed all of my ssl config from the configuration file
bootstrapped node 1
made sure mysql stopped on node 1

After that I took a look into /var/lib/mysql and there was no .pem file at all in it, nothing generated during the bootstrapping.

Check MySQL’s error log and see why it didn’t generate SSL’s