Do not verify certificate for local connects

We don't issue certififcate for localhost, and mysqlclient acts as a localhost connection while connecting thorugh socket as well. While issuing cert for localhost may lead to unpredictable results we just avoid verifying certificate when connecting locally. Change-Id: I556ae69c33ab9cc984d7c01868403be49faa0dbc
2021-12-07 14:25:08 +02:00 · 2021-12-07 14:25:08 +02:00 · f3364da086
commit f3364da086
parent 19d60b21f8
3 changed files with 4 additions and 6 deletions
--- a/tasks/galera_server_setup.yml
+++ b/tasks/galera_server_setup.yml
@ -30,6 +30,7 @@
    path: /var/lib/mysql/mysql_upgrade_info
    search_regex: "^{{ galera_major_version }}.{{ galera_minor_version }}"

+# NOTE(noonedeadpunk): We don't need to verify hostname when connectig to socket
 - name: Create galera users
  community.mysql.mysql_user:
    name: "{{ item.name }}"
@ -38,6 +39,7 @@
    priv: "{{ item.priv }}"
    state: "{{ item.state }}"
    login_unix_socket: "{{ galera_unix_socket }}"
+    check_hostname: false
  with_items:
    - name: "{{ galera_root_user }}"
      host: "%"
--- a/templates/client.my.cnf.j2
+++ b/templates/client.my.cnf.j2
@ -10,7 +10,7 @@ user={{ galera_root_user }}
 password={{ galera_root_password }}
 {% if galera_use_ssl %}
 ssl
-{%   if galera_ssl_verify %}
+{%   if galera_ssl_verify and inventory_hostname not in galera_cluster_members %}
 ssl-verify-server-cert
 {%   endif %}
 {% endif %}
--- a/templates/debian.cnf.j2
+++ b/templates/debian.cnf.j2
@ -1,18 +1,14 @@
 # {{ ansible_managed }}

 [client]
-host     = localhost
 user     = root
 password = {{ galera_root_password }}
 socket   = /var/run/mysqld/mysqld.sock
 {% if galera_use_ssl | bool %}
-ssl-ca   = {{ galera_ssl_ca_cert }}
-ssl-cert = {{ galera_ssl_cert }}
-ssl-key  = {{ galera_ssl_key }}
+ssl
 {% endif %}

 [mysql_upgrade]
-host     = localhost
 user     = root
 password = {{ galera_root_password }}
 socket   = /var/run/mysqld/mysqld.sock