[Gluster-users] Several issues when using Gluster with SSL and CRL

Miha Verlic ml at krneki.org
Thu Aug 29 13:51:14 UTC 2019


I've setup Glusterfs 6.3 cluster with 2 nodes + arbiter (and some
additional clients), SSL and CRL:

server.ssl: on
client.ssl: on
ssl.crl-path: /etc/ssl/crl

After a month (when CRL Next Update date came) cluster collapsed with
"error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired" error. I had to restart all processes on all nodes.

fetch-crl is installed on all nodes and properly synces CRLs, but it
seems gluster caches CRLs indefinitely and never re-reads them. When
initial CRL reaches "Next Update" date Gluster starts to reject all
connetions, even though CRL was updated during this time. Even -HUPing
all gluster processes does not help.

This can easily be reproduced by setting CRL option default_crl_days to
two days and refreshing CRL every day. Cluster will crash when initial
CRL will expire, even if it is updated in between.

Another problem happened when one of the clients did not have
up-to-dated CRL. When client was trying to connect, cluster was
apparently constantly busy with client and did not come online. After
client was killed, cluster came online instantly. Even debug logs were
not especially helpful, as client's IP is not logged with error messages.


More information about the Gluster-users mailing list