primary_ssl_verify_server_cert: false not disable MASTER_SSL_VERIFY_SERVER_CERT

[ldangeard-orange]

SUMMARY

By default with MariaDB 11.4, MASTER_SSL_VERIFY_SERVER_CERT is enable.

When i used variable primary_ssl_verify_server_cert with community.mysql.mysql_replication to disable cert server verify

  community.mysql.mysql_replication:
    mode: changeprimary
 ...
    primary_ssl_verify_server_cert: false
...
  ignore_errors: true

MASTER_SSL_VERIFY_SERVER_CERT is always enable

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.mysql.mysql_replication

ANSIBLE VERSION

2.15

COLLECTION VERSION

community-mysql-3.10.3.tar.gz

CONFIGURATION

OS / ENVIRONMENT

redhat 8

STEPS TO REPRODUCE

  community.mysql.mysql_replication:
    mode: changeprimary
    master_host: "{{ ReplicationMasterIpOnSlave }}"
    master_port: "{{ ReplicationMasterPortOnSlave }}"
    master_user: "{{ ReplicationUser.name }}"
    master_password: "{{ ReplicationUser.password }}"
    master_ssl: 1
    master_ssl_ca: "{{ TlsCAFilePath ) }}"
    master_ssl_cert: "{{ TlsPEMCertFilePath }}"
    master_ssl_key: "{{ TlsPEMKeyFilePath }}"
    master_ssl_cipher: "{{ TlsCipher }}"
    primary_ssl_verify_server_cert: false
    login_unix_socket: "{{ Server }}/{{ dbServer }}.sock"
  ignore_errors: true

Trace :

changed: [opgalbd02] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "ca_cert": null,
            "channel": null,
            "check_hostname": null,
            "client_cert": null,
            "client_key": null,
            "config_file": "/opt/mysql/.my.cnf",
            "connect_timeout": 30,
            "connection_name": null,
            "fail_on_error": false,
            "login_host": "localhost",
            "login_password": null,
            "login_port": 3306,
            "login_unix_socket": "/data/myserver01.sock",
            "login_user": null,
            "master_host": "192.168.2.221",
            "master_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "master_port": "3306",
            "master_ssl": 1,
            "master_ssl_ca": "/etc/tls/certs/ca-cert.pem",
            "master_ssl_cert": "/etc/tls/certs/server-cert.pem",
            "master_ssl_cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!aECDH:!RC4",
            "master_ssl_key": "/etc/tls/private/server-private.key",
            "master_user": "replication",
            "mode": "changeprimary",
            "primary_auto_position": false,
            "primary_connect_retry": null,
            "primary_delay": null,
            "primary_host": "192.168.2.221",
            "primary_log_file": null,
            "primary_log_pos": null,
            "primary_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "primary_port": 3306,
            "primary_ssl": true,
            "primary_ssl_ca": "/etc/tls/certs/ca-cert.pem",
            "primary_ssl_capath": null,
            "primary_ssl_cert": "/etc/tls/certs/server-cert.pem",
            "primary_ssl_cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!aECDH:!RC4",
            "primary_ssl_key": "/etc/tls/private/server-private.key",
            **"primary_ssl_verify_server_cert": false,**
            "primary_use_gtid": null,
            "primary_user": "replication",
            "relay_log_file": null,
            "relay_log_pos": null
        }
    },
    "queries": [
        "CHANGE MASTER TO MASTER_HOST='192.168.2.221',MASTER_USER='replication',MASTER_PASSWORD='********',MASTER_PORT=3306,MASTER_SSL=1,MASTER_SSL_CA='/etc/tls/certs/ca-cert.pem',MASTER_SSL_CERT='/etc/tls/certs/server-cert.pem',MASTER_SSL_KEY='/etc/tls/private/server-private.key',MASTER_SSL_CIPHER='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!aECDH:!RC4'"
    ]
}

EXPECTED RESULTS

MASTER_SSL_VERIFY_SERVER_CERT=0

ACTUAL RESULTS

MASTER_SSL_VERIFY_SERVER_CERT=1

[ldangeard-orange]

can you rule on this bug ?

[Andersson007]

@ldangeard-orange hello, thanks for reporting the issue and sorry for not responding earlier!
we have a limited number of hands here
I'll add the help wanted label and a link to the quick-start dev guide if anyone wants to dig deeper

[ldangeard-orange]

Is someone can see my bug ? Thank's

[laurent-indermuehle]

Hi @ldangeard-orange,
Bug confirmed:
The code from https://github.com/ansible-collections/community.mysql/blob/main/plugins/modules/mysql_replication.py#L645 is:

        if primary_ssl_verify_server_cert:
            chm.append("%s=1" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))

but it should have been:

        if primary_ssl_verify_server_cert is not None:
            if primary_ssl_verify_server_cert:
                chm.append("%s=1" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
            else:
                chm.append("%s=0" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))

I don't have time to fix this with proper tests. I'll try to free some in the next days.

[ldangeard-orange]

Hi @laurent-indermuehle
Thank's