validate-config reports "ssl-ca, ssl-cert, and ssl-key must all be defined to use encrypted mode traffic"

General

Escalation

General

Escalation

Description

MySQL configuration validation is not possible with WSREP plugin enabled:

# cat /etc/my.cnf
!include /etc/mysql/node.cnf
!includedir /etc/my.cnf.d/
!includedir /etc/percona-xtradb-cluster.conf.d/
cat /etc/mysql/node.cnf
[mysqld]
pxc-encrypt-cluster-traffic=ON
ssl-ca=/etc/mysql/ssl-internal/ca.crt
ssl-key=/etc/mysql/ssl-internal/tls.key
ssl-cert=/etc/mysql/ssl-internal/tls.crt
wsrep_provider_options="pc.weight=10"

$ mysqld --ssl-ca=/etc/mysql/ssl-internal/ca.crt --ssl-key=/etc/mysql/ssl-internal/tls.key --ssl-cert=/etc/mysql/ssl-internal/tls.crt --validate-config --log_error_verbosity=2
2021-02-11T03:57:50.567973Z 0 [ERROR] [MY-000000] [WSREP] ssl-ca, ssl-cert, and ssl-key must all be defined to use encrypted mode traffic. Unable to configure SSL. Must shutdown.
2021-02-11T03:57:50.568051Z 0 [ERROR] [MY-010119] [Server] Aborting
$ mysqld --validate-config --log_error_verbosity=2
same output

Environment

None

AFFECTED CS IDs

CS0015650

Linked work items

blocks

K8SPXC-644

Improve my.cnf (spec.pxc.configuration) options validation, allow to fix problems

is duplicated by

PXC-3911

Option --validate-config should prevent from starting a node and initialization of SST

Activity

Kamil Holubicki
January 24, 2023 at 12:30 PM

8.0.30:

/bin/mysqld --ssl-ca=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/ca.crt --ssl-key=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/server-key.pem --ssl-cert=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/server-cert.pemm --unknown_variable=8 --validate-config --log_error_verbosity=2
2023-01-24T12:28:56.138128Z 0 [Warning] [MY-010097] [Server] Insecure configuration for --secure-log-path: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.
2023-01-24T12:28:56.142398Z 0 [ERROR] [MY-000067] [Server] unknown variable 'unknown_variable=8'.
2023-01-24T12:28:56.142412Z 0 [ERROR] [MY-010119] [Server] Aborting

./bin/mysqld --ssl-ca=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/ca.crt --ssl-key=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/server-key.pem --ssl-cert=/home/kamil/repo/pxc/8.0/install/pxc-node/dn1/server-cert.pemm --validate-config --log_error_verbosity=2
2023-01-24T12:29:07.626297Z 0 [Warning] [MY-010097] [Server] Insecure configuration for --secure-log-path: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.

Robert Rettig
February 7, 2022 at 4:39 PM

any work arround here?

Resize issue view side panel

Done

Details

Assignee

Unassigned

Reporter

Nickolay Ihalainen(Deactivated)

Affects versions

8.0.21-12.1

Priority

Medium

Created February 11, 2021 at 4:01 AM

Updated March 6, 2024 at 9:15 PM

Resolved January 24, 2023 at 12:30 PM