Uploaded image for project: 'Percona XtraDB Cluster'
  1. Percona XtraDB Cluster
  2. PXC-2292

Modified Processing to determine Type of Key Cert when IST/SST

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 5.7.23-31.31
    • Fix Version/s: 8.0.18-internal
    • Component/s: None
    • Labels:
      None

      Description

      I'm using the Percona-XtraDB-Cluster-server-57-5.7.23-31.31.2.el7.x86_64 rpm install.  I have installed elliptic curve key and cert files to /var/lib/mysql/server-key.pem and /var/lib/mysql/server-cert.pem respectively and added "pxc-encrypt-cluster-traffic=ON" to the mysqld section of /etc/my.cnf.d/local.cnf.  Everything seems to be running as expected, except for when a full SST was required, I was getting the following error message:

      {{ 2018-11-27T22:57:21.974369Z WSREP_SST: [ERROR] ******************* FATAL ERROR **********************}}
      {{ 2018-11-27T22:57:21.975308Z WSREP_SST: [ERROR] * The certifcate and private key do not match.}}
      {{ 2018-11-27T22:57:21.976201Z WSREP_SST: [ERROR] * Please check your certificate and key files.}}
      {{ 2018-11-27T22:57:21.977086Z WSREP_SST: [ERROR] ******************************************************}}

      I tracked this down to line 334 in /bin/wsrep_sst_xtrabackup-v2, which checks that the public key in each file match:

      if ! diff <(openssl x509 -in "$cert_path" -pubkey -noout) <(openssl rsa -in "$key_path" -pubout 2>/dev/null) >/dev/null 2>&1

      As you can see, the openssl command is expecting the key file to be RSA, despite the fact that everything else is working great with an EC key.  I was able to work around this by replacing the "rsa" command with "pkey", which seems to be agnostic to the type of key being used:

      if ! diff <(openssl x509 -in "$cert_path" -pubkey -noout) <(openssl pkey -in "$key_path" -pubout 2>/dev/null) >/dev/null 2>&1

       

        Smart Checklist

          Attachments

            Activity

              People

              Assignee:
              kenn.takara Kenn Takara
              Reporter:
              tsteiner38 Timothy Steiner
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 4 hours
                  4h