Miha Verlic
2019-Aug-29 13:51 UTC
[Gluster-users] Several issues when using Gluster with SSL and CRL
Hello, I've setup Glusterfs 6.3 cluster with 2 nodes + arbiter (and some additional clients), SSL and CRL: server.ssl: on client.ssl: on ssl.crl-path: /etc/ssl/crl After a month (when CRL Next Update date came) cluster collapsed with "error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired" error. I had to restart all processes on all nodes. fetch-crl is installed on all nodes and properly synces CRLs, but it seems gluster caches CRLs indefinitely and never re-reads them. When initial CRL reaches "Next Update" date Gluster starts to reject all connetions, even though CRL was updated during this time. Even -HUPing all gluster processes does not help. This can easily be reproduced by setting CRL option default_crl_days to two days and refreshing CRL every day. Cluster will crash when initial CRL will expire, even if it is updated in between. Another problem happened when one of the clients did not have up-to-dated CRL. When client was trying to connect, cluster was apparently constantly busy with client and did not come online. After client was killed, cluster came online instantly. Even debug logs were not especially helpful, as client's IP is not logged with error messages. Cheers -- Miha