Uploaded image for project: 'Percona XtraDB Cluster'
  1. Percona XtraDB Cluster
  2. PXC-2978

Correct process to display Certificate Information when pxc-encrypt-cluster-traffic=ON

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Medium
    • Resolution: Invalid
    • 8.0.x
    • None
    • None

    Description

      Per pxc-encrypt-cluster-traffic documentation :
      "Setting pxc-encrypt-cluster-traffic=ON has effect of applying the following settings in my.cnf configuration file:"

      [mysqld] wsrep_provider_options=”socket.ssl_key=server-key.pem;socket.ssl_cert=server-cert.pem;socket.ssl_ca=ca.pem” [sst] encrypt=4 ssl-key=server-key.pem ssl-ca=ca.pem ssl-cert=server-cert.pem

      While we're enabling this option by default, I don't see it added in the /etc/mysql/mysql.conf.d/mysqld.cnf file (where the rest of the config is located) or in the output of:

      mysql> show variables like 'wsrep_provider_options'\G
*************************** 1. row ***************************
Variable_name: wsrep_provider_options
        Value: base_dir = /var/lib/mysql/; base_host = 10.0.2.15; base_port = 4567; cert.log_conflicts = no; cert.optimistic_pa = yes; debug = no; evs.auto_evict = 0; evs.causal_keepalive_period = PT1S; evs.debug_log_mask = 0x1; evs.delay_margin = PT1S; evs.delayed_keep_period = PT30S; evs.inactive_check_period = PT0.5S; evs.inactive_timeout = PT15S; evs.info_log_mask = 0; evs.install_timeout = PT7.5S; evs.join_retrans_period = PT1S; evs.keepalive_period = PT1S; evs.max_install_timeouts = 3; evs.send_window = 10; evs.stats_report_period = PT1M; evs.suspect_timeout = PT5S; evs.use_aggregate = true; evs.user_send_window = 4; evs.version = 1; evs.view_forget_timeout = P1D; gcache.dir = /var/lib/mysql/; gcache.freeze_purge_at_seqno = -1; gcache.keep_pages_count = 0; gcache.keep_pages_size = 0; gcache.mem_size = 0; gcache.name = galera.cache; gcache.page_size = 128M; gcache.recover = yes; gcache.size = 128M; gcomm.thread_prio = ; gcs.fc_debug = 0; gcs.fc_factor = 1.0; gcs.fc_limit = 100; gcs.fc_master_slave = no; gcs.max_packet_
1 row in set (0.01 sec)

      So it doesn't show if or which of the certificates are being used.

      Tested on Ubuntu 18.04:

      +------------------+
| @@INNODB_VERSION |
+------------------+
| 8.0.18-9         |
+------------------+
+-----------+
| @@VERSION |
+-----------+
| 8.0.18-9  |
+-----------+
+------------------------------------------------------------------------------------+
| @@VERSION_COMMENT                                                                  |
+------------------------------------------------------------------------------------+
| Percona XtraDB Cluster (GPL), Release rel9, Revision 1e1d898, WSREP version 26.4.3 |
+------------------------------------------------------------------------------------+
+------------------------+---------------+
| Variable_name          | Value         |
+------------------------+---------------+
| wsrep_provider_version | 4.3(r752664d) |
+------------------------+---------------+

      Attachments

        Activity

          People

            Unassigned Unassigned
            hrvoje.matijakovic Hrvoje Matijakovic
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 40 minutes
                40m

                Smart Checklist