SysAdmin Notes: Enabling SSL Cluster replication – Let’s Encrypt – FreeBSD, MariaDB 10.2, and Galera Cluster

From acme.sh, you’ll get :


ca.cer
db2.cer
db2.conf
db2.csr
db2.csr.conf
db2.key
fullchain.cer

FreeBSD layout – copy these to /etc/ssl (well, where you want).

concatenate the ca.cer with symlink of cert.pem from the package “security/ca_root_nss”.


sudo sh -c 'cat ca.cer cert.pem > cert2.pem'

Galera Cluster doesn’t like chained certificates, and does both a client and server Certificate verification – so wsrep_provider_options look like this :


wsrep_provider_options="
socket.ssl_key=/etc/ssl/db2.key;
socket.ssl_cert=/etc/ssl/db2.cer;
socket.ssl_ca=/etc/ssl/cert2.pem;
socket.ssl=yes
"

Now, because you have to restart the whole cluster … Let’s Encrypt’s certificates every 60-90 days … may not be optimal. And I’m unclear what the impact is for doing “–wsrep-new-cluster” all the time … because once you change the certificates, you apparently can’t re-join the same cluster.


HOWEVER – the self-signed certificates, as directed here : http://galeracluster.com/documentation-webpages/sslcert.html#generating-certificates – didn’t work out of the box. For whatever reason, the server cert needs to be the full chain. To create that … one more step:


sudo sh -c 'cat server-cert.pem ca-cert.pem > serverchain.pem '


And use socket.ssl_cert=serverchain.pem


Oh yeah … you need different self signed certs on each Galera node. The same server cert doesn’t work for all nodes.

Well, that is only partly true …and only worked for 1/2 the connection … openssl s_client worked, but mysql/Galera would not validate the cert. In fact, you can have the same cert on everything – if you DON’T set the ssl_ca. Yeah, really. Seemly, you don’t even need to sign it … just create the certificate/key pair for the CA, and use those as key/cert, and don’t set the CA.