All we need is an easy explanation of the problem, so here it is.
So the scenario is this. I have already setup a 4 node MariaDB Galera cluster (10.5). I’m also adding on top a 5th Galera Arbitrator and everything syncs and connects just fine. However when I enable SSL on the cluster ( after bootstrapping it from scratch ) I’m able to sync the 4 nodes but the Arbitrator for some reason does not sync.
Interesting is that when the nodes are syncing they’re outputting "connecting…ssl://172.31.0.4:4567".
However when the arbitrator is trying to sync it’s outputting "connecting…tcp://172.31.0.4:4567".
Seems like it’s trying over tcp for some reason.
It’s config is this when I start it up
name: garb address: gcomm://mariadb-galera-0:4567,mariadb-galera-1:4567,mariadb-galera-2:4567,mariadb-galera-3:4567,mariadb-galera-arb:4567 group: scluster sst: trivial donor: options: socket.ssl_key=/etc/ssl/galera/server-key.pem;socket.ssl_cert=/etc/ssl/galera/server-cert.pem;socket.ssl_ca=/etc/ssl/galera/ca-cert.pem;socket.ssl_cipher=AES128-SHA; gcs.fc_limit=9999999; gcs.fc_factor=1.0; gcs.fc_master_slave=yes cfg: log:
It doesn’t give me an ssl or cert error just timing out
INFO: (8bef8261-9d27, 'tcp://0.0.0.0:4567') connection to peer 00000000-0000 with addr tcp://172.31.0.4:4567 timed out, no messages seen in PT3S, socket stats: rtt: 39 rttvar: 19 rto: 200000 lost: 0 last_data_recv: 3500 cwnd: 10 last_queued_since: 3499991400 last_delivered_since: 3499991400 send_queue_length: 0 send_queue_bytes: 0
pem files are exactly the same that I’m using across all nodes + the arbitrator.
I read in the documentation that I need to specify the
cipher otherwise I’ll be getting an error. I tried
AES128-SHA256 and not declaring it at all but still timing out.
Below is the wsrep provider options from the phpmyadmin from one of the nodes. The
cipher seems empty but then again why is the arbitrator trying to connect to "tcp://" and not "ssl://" like the others ?
Thank you for helping
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
There is a flag
socket.ssl = yes that the options of
garbd need which for some reason is not documented that needs to be enabled for the arb to try to connect via SSL.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂