MariaDB Galera Arbitrator failing to sync with SSL

All we need is an easy explanation of the problem, so here it is.

So the scenario is this. I have already setup a 4 node MariaDB Galera cluster (10.5). I’m also adding on top a 5th Galera Arbitrator and everything syncs and connects just fine. However when I enable SSL on the cluster ( after bootstrapping it from scratch ) I’m able to sync the 4 nodes but the Arbitrator for some reason does not sync.

Interesting is that when the nodes are syncing they’re outputting "connecting…ssl://".
However when the arbitrator is trying to sync it’s outputting "connecting…tcp://".
Seems like it’s trying over tcp for some reason.

It’s config is this when I start it up

    name:    garb
    address: gcomm://mariadb-galera-0:4567,mariadb-galera-1:4567,mariadb-galera-2:4567,mariadb-galera-3:4567,mariadb-galera-arb:4567
    group:   scluster
    sst:     trivial
    options: socket.ssl_key=/etc/ssl/galera/server-key.pem;socket.ssl_cert=/etc/ssl/galera/server-cert.pem;socket.ssl_ca=/etc/ssl/galera/ca-cert.pem;socket.ssl_cipher=AES128-SHA; gcs.fc_limit=9999999; gcs.fc_factor=1.0; gcs.fc_master_slave=yes

It doesn’t give me an ssl or cert error just timing out

INFO: (8bef8261-9d27, 'tcp://') connection to peer 00000000-0000 with addr tcp:// timed out, no messages seen in PT3S, socket stats: rtt: 39 rttvar: 19 rto: 200000 lost: 0 last_data_recv: 3500 cwnd: 10 last_queued_since: 3499991400 last_delivered_since: 3499991400 send_queue_length: 0 send_queue_bytes: 0

The pem files are exactly the same that I’m using across all nodes + the arbitrator.

I read in the documentation that I need to specify the cipher otherwise I’ll be getting an error. I tried AES128-SHA and AES128-SHA256 and not declaring it at all but still timing out.

Below is the wsrep provider options from the phpmyadmin from one of the nodes. The cipher seems empty but then again why is the arbitrator trying to connect to "tcp://" and not "ssl://" like the others ?
MariaDB Galera Arbitrator failing to sync with SSL

Thank you for helping

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

There is a flag socket.ssl = yes that the options of garbd need which for some reason is not documented that needs to be enabled for the arb to try to connect via SSL.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply