SSL problems with xtradb-cluster-full-57 and Ubuntu 16.04 OpenSSL 1.0.2

MySQL & MariaDB Percona XtraDB Cluster 5.x
2

hello everyone,

I am having a problem getting xtradb to work at all with SSL between the nodes…
following the docs here [URL=“Redirecting”]https://www.percona.com/doc/percona-...l/apt.html#apt[/URL]
and[URL=“Redirecting”]https://www.percona.com/doc/percona-...ntu_howto.html[/URL]
using these install steps: [INDENT]wget https://repo.percona.com/apt/percona-release_0.1-4.$(lsb_release -sc)_all.deb
sudo dpkg -i percona-release_0.1-4.$(lsb_release -sc)_all.deb
sudo apt-get update
sudo apt-cache search percona
apt-get remove apparmor
apt install percona-xtradb-cluster-full-57
sudo service mysql stop
ufw allow 22,3306,4444,4567,4568/tcp
ufw enable[/INDENT]

copy the supplied /etc/mysql/my.cnf templates
the cluster boots and runs no problem…

Then I generated keys as per
[URL=“Redirecting”]https://www.percona.com/doc/percona-...ate-keys-certs[/URL] [INDENT]$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem[/INDENT]

and all goes as expected

updating the provided my.cnf example: [INDENT][mysqld]
[COLOR=#FF0000]ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
datadir=/var/lib/mysql user=mysql

Path to Galera library

wsrep_provider=/usr/lib/libgalera_smm.so

Cluster connection URL contains the IPs of node#1, node#2 and node#3 wsrep_cluster_address=gcomm://192.168.70.61,192.168.70.62,192.168.70.63

[COLOR=#FF0000]wsrep_provider_options=“socket.ssl=yes;socket.ssl_ ca=/etc/mysql/certs/ca.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_key=/etc/mysql/certs/server-key.pem”
early-plugin-load=keyring_file.so
keyring-file-data=/etc/mysql/keyring

In order for Galera to work correctly binlog format should be ROW

binlog_format=ROW

MyISAM storage engine has only experimental support

default_storage_engine=InnoDB

This InnoDB autoincrement locking mode is a requirement for Galera

innodb_autoinc_lock_mode=2

Node #1 address

wsrep_node_address=192.168.70.61

SST method

wsrep_sst_method=xtrabackup-v2

Cluster name

wsrep_cluster_name=my_ubuntu_cluster

Authentication for SST method

wsrep_sst_auth=“sstuser:s3cretPass”
[COLOR=#FF0000][client][/INDENT]
[INDENT][COLOR=#FF0000]ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem
[sst]
encrypt=4
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem[/INDENT]

This prevents the cluster from bootstrapping…adding [INDENT][COLOR=#FF0000]log_error = /var/log/mysql/error.log
log_warnings = 3
log_error_verbosity = 3[/INDENT]
to the [mysqld] block does not produce a log when the bootstrap fails…

Further, if comment out the [client] block [INDENT][COLOR=#FF0000]#[client]
#ssl-ca=/etc/mysql/certs/ca.pem
#ssl-cert=/etc/mysql/certs/client-cert.pem
#ssl-key=/etc/mysql/certs/client-key.pem[/INDENT]
the first node will bootstrap but but the second node cannot connect.