Unable to start the master node after updating the ssl_cert and ssl_key in memsql.cnf


#1

Hi
I’m following the given memsql documentation https://docs.memsql.com/security/v6.7/ssl/ to enable ssl connection between my service and memsql node but whenever I update the master’s memsq.cnf file with ssl_cert and ssl_key parameters my master stops running.
The version for memsql-ops is 6.5.11
I’m updating the ssl_cert and ss_key with self signed certificate.

After updating the file memsql.cnf through memsql-update-config command or manually and then trying to restart the memsql-ops I’m getting error:
[root@memsql ~]#memsql-ops memsql-restart --all
Stopping cluster
Successfully stopped cluster
Starting cluster
MemSQL node 085839FF7CF908258AA0390AB0B0EDACAE1014BC is recovering its data
MemSQL node 716B27B5B4B80A1404A6913C543B21D75F0463AC is recovering its data
MemSQL node 8E0084C6CD9F38B843FABB8A6E8D2F2916252E16 is recovering its data
MemSQL node BAC1B2361ED04BE4E078D8C73CA4D60758851A43 is recovering its data
MemSQL node 5C7C8B49ADA8305FC69EC012C927A34DA89178FE is recovering its data
MemSQL node D01FB4FD73A9CB4AEA3AE5DEAD03F5FF5439A37F failed to start: Failed to start MemSQL
Failed to start MemSQL

[root@localhost ~]# memsql report
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘127.0.0.1’ (111)

However, when my leaf nodes are offline and then I’m trying to update it gets updated and master is running fine after restart and able to login to memsql.

Does the feature supports updating the ssl-cert in cluster nodes of memsql , if yes then how to accomplish that or is it some version specific? What is the correct way to enable ssl in memsql for it listens only tls based connections?


#2

That’s the correct command. Please check the logs for the node that failed to start (look in tracelogs/memsql.log) for the error message that indicates why it failed to start.


#3

Hi
I was able to install certificate in memsql-master after looking at the logs and fixing it, but when same fix I’m trying to give to aggregator and updating the ssl_cert and ssl_key it gives the same error and unable to start the node.

The master and aggregator have 2 different IPs, Can we use the same certificate for both master and aggregator, or is there a different procedure for that.


#4

What is the error?

Yes, you can use the same certificate.


#5

The Warning message seen is:
WARN: SSL load certificate file failed with Permission denied (13)
WARN: SSL load certificate file failed with SSL_CTX_use_certificate_file:system lib (0)
ERROR: Failed to start MemSQL

This is the trace logs that can be seen after restarting the memsql cluster when the ssl-cert and ssl-key is updated in the memsql.cnf .


#6

That indicates a filesystem permissions issue. Make sure the path and permissions are correct.


#7

Is there any permission difference between aggregator and master node in a cluster. I’m trying to add an authorised 3rd party certificate to both the nodes but it is failing only for aggregator node but not for master node. The path and permissions are the same to both of them.

How does an aggregator differ from master in that respect. As I mentioned these are different machines for both master and aggregator node.Will it make a difference?