Failed to initialize SSL

colin_loghincolin_loghin Registered User

I have a test database that does not start because of an invalid SSLPrivateKey / SSLCertificate.
The following messages are in the log.

2018-07-30 13:30:26.007 Spread Client:7fb43c614700 @v_d2_node0001: VX001/6211: Could not load server private key from SSLPrivateKey config parameter: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2018-07-30 13:30:26.007 Spread Client:7fb43c614700 @v_d2_node0001: VX001/3380: Failed to initialize SSL
LOCATION: doInstallAndJoin, /scratch_a/release/svrtar21434/vbuild/vertica/Transaction/TransAPI.cpp:3512

Since these parameters are loaded from the catalog, what is the antidote for resetting to non SSL and starting the database successfully ?

There is a mention of KM03014326 found with a google search on microfocus logo on it, but it is an invalid link / article attached to it. (https://softwaresupport.softwaregrp.com/kb/KM03014326)

Thanks.

Comments

  • ScottLScottL Employee, Registered User

    Assuming you are running SSL Mutual Mode where the client needs certificate, key, and certificate authority files.

    Turn off SSL in the database (example using vsql) set EnableSSL = 0:

    echo "ALTER DATABASE <database> SET EnableSSL = 0;" | vsql  
    

    and remove EnableSSL=true from you connection strings

    You need to restart the database after the alter. Hope that helps

  • colin_loghincolin_loghin Registered User

    Hi Scott, The database is down ( could not be started after SSL cert was applied) , hence the error "Failed to initialize SSL" in the subject line. Therefore, we cannot use vsql on a down database. I am looking onto how to disable SSL on a downed database so that we could bring it up. Hope this makes sense and I hope this would benefit someone else as well. Having a down database is no fun for anyone. !

  • Jim_KnicelyJim_Knicely Employee, Registered User, VerticaExpert
    edited July 31

    @colin_loghin - Which version of Vertica is this? Have you opened a Vertica Support Case yet?

  • colin_loghincolin_loghin Registered User

    This is vertica 8.1 . I have not opened a support case. Is this forum not worthwhile of an answer ? If i were a customer having this problem in the middle of the night , i would rather do a 2 sec. google search and find a cure rather than wake up vertica support engineers for a down vertica instance.

  • Jim_KnicelyJim_Knicely Employee, Registered User, VerticaExpert

    Vertica support engineers never sleep :) Ha hah!

    How are you starting the DB? With admintools? If so, can you post the output? If you aren't using admintools, can you try, then post the output?

    Can you also post the contents of the vertica.conf file? It is located in the catalog directory (i.e. the same directory that contains the vertica.log file).

    How many nodes are there in the test cluster?

  • colin_loghincolin_loghin Registered User

    Yes, I am starting the DB with admintools. It is a 1 node test database. The output from vertica.log ( i dont see anything relevant in admintools.log ) has been posted in the first comment of this post. vertica.conf is empty because the parameters are now read from the catalog and anything added into vertica.conf is ignored.

  • colin_loghincolin_loghin Registered User

    Any vertica experts here on this forum ? There must be a way to disable SSL on a downed database.

  • Jim_KnicelyJim_Knicely Employee, Registered User, VerticaExpert
    edited August 14

    @colin_loghin - Send me your email address and I will help you.

    My email address is [email protected]

  • Jim_KnicelyJim_Knicely Employee, Registered User, VerticaExpert
    edited August 14

    @colin_loghin - Do you have a valid SSLPrivateKey and SSLCertificate info in files?

    If so, you can change the DB settings via admintools:

    [[email protected] ~]$ admintools -t set_ssl_params --help
    Usage: set_ssl_params [options]
    
    Options:
      -h, --help            show this help message and exit
      -d DB, --database=DB  Name of database whose parameters will be set
      -k KEYFILE, --ssl-key-file=KEYFILE
                            Path to SSL private key file
      -c CERTFILE, --ssl-cert-file=CERTFILE
                            Path to SSL certificate file
      -a CAFILE, --ssl-ca-file=CAFILE
                            Path to SSL CA file
      -p DBPASSWORD, --password=DBPASSWORD
                            Database password in single quotes
    

    Example:

    [[email protected] ~]$ admintools -t set_ssl_params -k server.key -d test_db
    Success. Change committed on a quorum of nodes.
    
  • Jim_KnicelyJim_Knicely Employee, Registered User, VerticaExpert
    edited August 14

    Fyi... You can also clear the parameter with admintools.

    Example:

    I have the SSLPrivateKey param set:

    [[email protected] ~]$ vsql -c "SELECT left(current_value, 25) FROM configuration_parameters WHERE parameter_name = 'SSLPrivateKey';"
               left
    ---------------------------
     -----BEGIN RSA PRIVATE KE
    (1 row)
    

    Now I will clear it! First I will shut down the DB so that I am in a similar situation as you (Downed node).

    [[email protected] ~]$ admintools -t stop_db -d test_db
    Info: no password specified, using none
            Connecting to database
            Issuing shutdown command to database
    Database test_db stopped successfully
    

    I created an empty file called clear_server.key. I will use that to clear the SSLPrivateKey Vertica parameter...

    [[email protected] ~]$ cat clear_server.key
    
    [[email protected] ~]$ admintools -t set_ssl_params -k clear_server.key -d test_db
    Success. Change committed on a quorum of nodes.
    
    [[email protected] ~]$ admintools -t start_db -d test_db
    Info: no password specified, using none
            Starting nodes:
                    v_test_db_node0001 (74.208.100.58)
            Starting Vertica on all nodes. Please wait, databases with a large catalog may take a while to initialize.
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (UP)
    Database test_db: Startup Succeeded.  All Nodes are UP
    
    [[email protected] ~]$ vsql -c "SELECT left(current_value, 25) FROM configuration_parameters WHERE parameter_name = 'SSLPrivateKey';"
     left
    ------
    
    (1 row)
    

    It's cleared!

    Clearing that parameter should let you start the DB.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file