Skip to content

Using TLS for SST with MariaDB

This might be good when you're spreading your cluster across DCs. The instructions below were written by a nickname called ''sibiria'' in the #maria channel at freenode. I have yet to verify them.

FIXME TODO: Verify and clarify this article.

Create a simple CA and a server key/cert

Create the CA that will be used to sign the server cert:

openssl req -new -newkey rsa:4096 -x509 -nodes -days 1826 -sha256 -keyout mariadb_ca.key > mariadb_ca.crt

Create the server key and certificate signing request:

openssl req -newkey rsa:2048 -nodes -days 1826 -sha256 -subj '/C=SE/ST=-/L=-/O=Organization/OU=-/CN=mariadb/emailAddress=some@thing.com' -out mariadb.csr -keyout mariadb.key

Sign the server's certificate using the CA:

openssl x509 -req -in mariadb.csr -days 1826 -sha256 -CA mariadb_ca.crt -CAkey mariadb_ca.key -set_serial 01 -out mariadb.crt

You can use a single client key/cert for all nodes, or you can create one unique set for each node if you so prefer. These certs and keys can also be used by clients to establish encrypted general connections to the MariaDB instances, not just for protecting replication data between Galera. Don't forget to protect the CA and server keys.

Add a user for remote (non-localhost) connections that will require TLS

grant RELOAD, LOCK TABLES, PROCESS, REPLICATION CLIENT [, AND ANYTHING ELSE YOU MAY NEED] on *.* to 'yoursstuser'@'%' identified by 'yoursstpassword' require ssl;

Settings to add to wsrep_provider_options

socket.ssl_key=/etc/pki/tls/private/mariadb.key;socket.ssl_cert=/etc/pki/tls/certs/mariadb.crt;socket.ssl_ca=/etc/pki/tls/certs/mariadb_ca.crt

Configuration clause to add to your my.cnf

[sst]
encrypt=4
ssl-ca=/etc/pki/tls/certs/mariadb_ca.crt
ssl-cert=/etc/pki/tls/certs/mariadb.crt
ssl-key=/etc/pki/tls/private/mariadb.key

Start your nodes up again and confirm on each node that TLS is in use for replication by running 'journalctl -xe' and looking for 'WSREP: SSL handshake successful'


Last update: October 2, 2021