SysAdmin Notes: Enabling SSL Cluster replication – Let’s Encrypt – FreeBSD, MariaDB 10.2, and Galera Cluster

by David P. Discher
Posted on March 6, 2018March 6, 2018

From acme.sh, you’ll get :

ca.cer db2.cer db2.conf db2.csr db2.csr.conf db2.key fullchain.cer

FreeBSD layout – copy these to /etc/ssl (well, where you want).

concatenate the ca.cer with symlink of cert.pem from the package “security/ca_root_nss”.

sudo sh -c 'cat ca.cer cert.pem > cert2.pem'

Galera Cluster doesn’t like chained certificates, and does both a client and server Certificate verification – so wsrep_provider_options look like this :

wsrep_provider_options=" socket.ssl_key=/etc/ssl/db2.key; socket.ssl_cert=/etc/ssl/db2.cer; socket.ssl_ca=/etc/ssl/cert2.pem; socket.ssl=yes "

Now, because you have to restart the whole cluster … Let’s Encrypt’s certificates every 60-90 days … may not be optimal. And I’m unclear what the impact is for doing “–wsrep-new-cluster” all the time … because once you change the certificates, you apparently can’t re-join the same cluster.

HOWEVER – the self-signed certificates, as directed here : http://galeracluster.com/documentation-webpages/sslcert.html#generating-certificates – didn’t work out of the box. For whatever reason, the server cert needs to be the full chain. To create that … one more step:

sudo sh -c 'cat server-cert.pem ca-cert.pem > serverchain.pem '

~~And use socket.ssl_cert=serverchain.pem~~

~~Oh yeah … you need different self signed certs on each Galera node. The same server cert doesn’t work for all nodes.~~

Well, that is only partly true …and only worked for 1/2 the connection … openssl s_client worked, but mysql/Galera would not validate the cert. In fact, you can have the same cert on everything – if you DON’T set the ssl_ca. Yeah, really. Seemly, you don’t even need to sign it … just create the certificate/key pair for the CA, and use those as key/cert, and don’t set the CA.