30bdc809bb
Currently we generate the CA certificate with default expiration time (30 days), while both CSR and signed certificates are set to expire in 3650 days. If a Galera service is restarted after 30 days, replication breaks due to expired CA certificate. Increasing the CA certificate expiration to 3650 days resolves the issue and makes expiration consistent between the certificates. Change-Id: Ibf5ca5c0504b681b8c6d8c3aae44b2039bd47ece
139 lines
4.2 KiB
YAML
139 lines
4.2 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc., Mirantis Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Remove self signed cert for regen
|
|
file:
|
|
dest: "{{ item }}"
|
|
state: "absent"
|
|
with_items:
|
|
- "{{ galera_ssl_ca_cert }}"
|
|
- "{{ galera_ssl_cert }}"
|
|
- "{{ galera_ssl_key }}"
|
|
- "{{ galera_ssl_ca_cert | dirname }}/galera-csr.pem"
|
|
when:
|
|
- galera_ssl_self_signed_regen | bool
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create Galera CA cert
|
|
command: >
|
|
openssl req -new -nodes -x509 -subj
|
|
"{{ galera_ssl_ca_self_signed_subject }}"
|
|
-days 3650
|
|
-keyout {{ galera_ssl_key | dirname }}/galera-ca.key
|
|
-out {{ galera_ssl_ca_cert }}
|
|
creates={{ galera_ssl_ca_cert }}
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get CA cert contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_ca_cert }}"
|
|
register: galera_ca
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the CA cert
|
|
set_fact:
|
|
galera_server_ca_cert: "{{ galera_ca.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create Galera SSL CSR
|
|
command: >
|
|
openssl req -new -nodes -sha256 -subj
|
|
"{{ galera_ssl_self_signed_subject }}"
|
|
-days 3650
|
|
-keyout {{ galera_ssl_key }}
|
|
-out {{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
|
|
-extensions v3_ca
|
|
creates={{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
|
|
register: create_galera_ssl_request
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Convert generated SSL key to valid format for Galera
|
|
command: >
|
|
openssl rsa
|
|
-in {{ galera_ssl_key }}
|
|
-out {{ galera_ssl_key }}
|
|
when:
|
|
- create_galera_ssl_request is changed
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get CSR private key contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_key }}"
|
|
register: galera_private_key
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the CSR private key
|
|
set_fact:
|
|
galera_server_private_key: "{{ galera_private_key.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create Galera SSL signed cert
|
|
command: >
|
|
openssl x509 -req
|
|
-days 3650
|
|
-in {{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
|
|
-CA {{ galera_ssl_ca_cert }}
|
|
-CAkey {{ galera_ssl_key | dirname }}/galera-ca.key
|
|
-out {{ galera_ssl_cert }}
|
|
-set_serial 01
|
|
creates={{ galera_ssl_cert }}
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get signed cert contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_cert }}"
|
|
register: galera_cert
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the signed cert contents
|
|
set_fact:
|
|
galera_server_cert: "{{ galera_cert.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Copy CA cert, private key, and signed cert (SELF)
|
|
copy:
|
|
content: "{{ hostvars[galera_server_bootstrap_node][item.key] | b64decode }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: "mysql"
|
|
group: "mysql"
|
|
mode: "{{ item.mode | default('0640') }}"
|
|
with_items:
|
|
- key: "galera_server_ca_cert"
|
|
dest: "{{ galera_ssl_ca_cert }}"
|
|
- key: "galera_server_private_key"
|
|
dest: "{{ galera_ssl_key }}"
|
|
- key: "galera_server_cert"
|
|
dest: "{{ galera_ssl_cert }}"
|
|
mode: "0600"
|
|
when:
|
|
- inventory_hostname != galera_server_bootstrap_node
|
|
notify: Restart all mysql
|