sql_mode=VERIFY_IDENTITY not working with HAProxy and cert-manager

General

Escalation

General

Escalation

Description

PXC operator provides internal and external SSL certificates. HAProxy uses TCP connections load balancing, thus clients seeing internal certificates.

certificates generated by cert manager + pxc operator are not valid for ssl-mode=VERIFY_IDENTITY mode (CA check + hostname check).

kubectl exec -it cluster1-pxc-0 -c pxc -- bash
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-pxc-0.cluster1-pxc
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-pxc -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-haproxy -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-haproxy-replicas -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-pxc-0.cluster1-pxc
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-pxc
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-haproxy -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-replicas
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2005 (HY000): Unknown MySQL server host 'cluster1-replicas' (2)
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_IDENTITY --protocol=tcp -uroot -proot_password --host=cluster1-haproxy-replicas
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl/ca.crt --ssl-mode=VERIFY_CA --protocol=tcp -uroot -proot_password --host=cluster1-haproxy-replicas -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
bash-4.4$ mysql --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-mode=VERIFY_CA --protocol=tcp -uroot -proot_password --host=cluster1-haproxy-replicas -e status|grep SSL
mysql: [Warning] Using a password on the command line interface can be insecure.
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384

Expected behavior:
Allow to use VERIFY_IDENTITY with all possible domain names for HAProxy service, e.g. cluster1-haproxy-replicas.default.svc.cluster.local, cluster1-haproxy-replicas.default, cluster1-haproxy-replicas

Environment

None

AFFECTED CS IDs

CS0021940

Smart Checklist

Activity

Show:

Tomislav Plavcic May 25, 2022 at 2:21 PM

It seems to work except for this case "--host=cluster1-pxc-0.cluster1-pxc" where we use wildcard dns name "DNS:*.cluster1-pxc" in the certificate, but it seems like some mysql issue, because when we specify all 3 pods without wildcard then it works, like so: "DNS:cluster1-pxc-0.cluster1-pxc, DNS:cluster1-pxc-1.cluster1-pxc, DNS:cluster1-pxc-2.cluster1-pxc".

@Nickolay Ihalainen @Slava Sarzhan ^

Slava Sarzhan May 3, 2022 at 9:46 AM

@Tomislav PlavcicIt was improved. Please check.

Tomislav Plavcic April 14, 2022 at 10:19 AM

@Andrii Dema

We made the change for certificates issued by cert manager, but not the ones created by operator. The idea is to make it the same everywhere.
Here's how it looks:

# CERT MANAGER (MAIN BRANCH)
# EXTERNAL
Issuer: CN=pxc-db-ca
Validity
  Not After : Jul 13 09:42:40 2022 GMT
Subject: CN=pxc-db-proxysql
X509v3 Subject Alternative Name: DNS:pxc-db-pxc, DNS:*.pxc-db-pxc, DNS:*.pxc-db-proxysql

# INTERNAL
Issuer: CN=pxc-db-ca
Validity
  Not After : Jul 13 09:42:40 2022 GMT
Subject: CN=pxc-db-pxc
X509v3 Subject Alternative Name: DNS:pxc-db-pxc, DNS:*.pxc-db-pxc, DNS:pxc-db-haproxy-replicas.pxc-test.svc.cluster.local, DNS:pxc-db-haproxy-replicas.pxc-test, DNS:pxc-db-haproxy-replicas, DNS:pxc-db-haproxy.pxc-test.svc.cluster.local, DNS:pxc-db-haproxy.pxc-test, DNS:pxc-db-haproxy

# OPERATOR
# EXTERNAL
Issuer: O=Root CA
Validity
  Not After : Dec 31 23:59:59 9999 GMT
Subject: O=PXC
X509v3 Subject Alternative Name: DNS:pxc-db-pxc, DNS:pxc-db-proxysql, DNS:*.pxc-db-pxc, DNS:*.pxc-db-proxysql

# INTERNAL
Issuer: O=Root CA
Validity
  Not After : Dec 31 23:59:59 9999 GMT
Subject: O=PXC
X509v3 Subject Alternative Name: DNS:*.pxc-db-pxc, DNS:pxc-db-pxc

Done

Details
Assignee
Andrii Dema
Reporter
Nickolay Ihalainen(Deactivated)
Fix versions
1.11.0
Affects versions
1.9.0
Priority
Medium

Smart Checklist

Created October 29, 2021 at 1:24 AM

Updated March 5, 2024 at 5:43 PM

Resolved December 7, 2021 at 2:50 PM

sql_mode=VERIFY_IDENTITY not working with HAProxy and cert-manager

Description

Environment

AFFECTED CS IDs

Smart Checklist

Activity

Tomislav Plavcic May 25, 2022 at 2:21 PM

Slava Sarzhan May 3, 2022 at 9:46 AM

Tomislav Plavcic April 14, 2022 at 10:19 AM

Details
Assignee
Andrii Dema
Reporter
Nickolay Ihalainen(Deactivated)
Fix versions
1.11.0
Affects versions
1.9.0
Priority
Medium

Details

Assignee

Reporter

Fix versions

Affects versions

Priority

Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

sql_mode=VERIFY_IDENTITY not working with HAProxy and cert-manager

Description

Environment

AFFECTED CS IDs

Smart Checklist

Activity

Tomislav Plavcic May 25, 2022 at 2:21 PM

Slava Sarzhan May 3, 2022 at 9:46 AM

Tomislav Plavcic April 14, 2022 at 10:19 AM

DetailsAssigneeAndrii DemaAndrii DemaReporterNickolay IhalainenNickolay Ihalainen(Deactivated)Fix versions1.11.0Affects versions1.9.0PriorityMedium

Details

Assignee

Reporter

Fix versions

Affects versions

Priority

Smart ChecklistOpen Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

Details
Assignee
Andrii Dema
Reporter
Nickolay Ihalainen(Deactivated)
Fix versions
1.11.0
Affects versions
1.9.0
Priority
Medium

Smart Checklist