Browse Source

Increase Galera self-signed SSL CA expiration

Currently we generate the CA certificate with default expiration time (30
days), while both CSR and signed certificates are set to expire in 3650 days.
If a Galera service is restarted after 30 days, replication breaks due to
expired CA certificate.

Increasing the CA certificate expiration to 3650 days resolves the issue and
makes expiration consistent between the certificates.

Change-Id: Ibf5ca5c0504b681b8c6d8c3aae44b2039bd47ece
Niko Smeds 4 months ago
parent
commit
30bdc809bb
1 changed files with 1 additions and 0 deletions
  1. 1
    0
      tasks/galera_ssl_self_signed.yml

+ 1
- 0
tasks/galera_ssl_self_signed.yml View File

@@ -30,6 +30,7 @@
30 30
   command: >
31 31
     openssl req -new -nodes -x509 -subj
32 32
     "{{ galera_ssl_ca_self_signed_subject }}"
33
+    -days 3650
33 34
     -keyout {{ galera_ssl_key | dirname }}/galera-ca.key
34 35
     -out {{ galera_ssl_ca_cert }}
35 36
     creates={{ galera_ssl_ca_cert }}

Loading…
Cancel
Save