gh-ost icon indicating copy to clipboard operation
gh-ost copied to clipboard
verified publisher icon github

Fail to verify SSL identity when recursing into a host with a different SSL cert

Open Hexcles opened this issue 2 years ago • 2 comments

Here when gh-ost is recursively finding masters: https://github.com/github/gh-ost/blob/b7db8c6ca76712ae28bd97ca0f1c29fd152228cd/go/mysql/utils.go#L131

It copies the entire connectionConfig, including the private tlsConfig field: https://github.com/github/gh-ost/blob/b7db8c6ca76712ae28bd97ca0f1c29fd152228cd/go/mysql/connection.go#L49

without updating its hostname: https://github.com/github/gh-ost/blob/b7db8c6ca76712ae28bd97ca0f1c29fd152228cd/go/mysql/connection.go#L98

Hence, it tries to connect to a new host likely with a different hostname and certificate, but still asks x509 to verify against the old hostname, which always fails:

x509: certificate is valid for [old hostname], not [newly found hostname]

Hexcles avatar Mar 02 '23 22:03 Hexcles

We have hit this issue as well.

I spent some time and created a PR that resolves the issues described in this issue and confirmed it working:

https://github.com/github/gh-ost/pull/1487

petervandoros avatar Jan 02 '25 04:01 petervandoros

The above PR has been merged. Just waiting on a release.

petervandoros avatar Mar 04 '25 00:03 petervandoros