Failed to initialize SSL

I have a test database that does not start because of an invalid SSLPrivateKey / SSLCertificate.
The following messages are in the log.

2018-07-30 13:30:26.007 Spread Client:7fb43c614700 @v_d2_node0001: VX001/6211: Could not load server private key from SSLPrivateKey config parameter: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2018-07-30 13:30:26.007 Spread Client:7fb43c614700 @v_d2_node0001: VX001/3380: Failed to initialize SSL
LOCATION: doInstallAndJoin, /scratch_a/release/svrtar21434/vbuild/vertica/Transaction/TransAPI.cpp:3512

Since these parameters are loaded from the catalog, what is the antidote for resetting to non SSL and starting the database successfully ?

There is a mention of KM03014326 found with a google search on microfocus logo on it, but it is an invalid link / article attached to it. (https://softwaresupport.softwaregrp.com/kb/KM03014326)

Thanks.

Comments

  • ScottLScottL Employee

    Assuming you are running SSL Mutual Mode where the client needs certificate, key, and certificate authority files.

    Turn off SSL in the database (example using vsql) set EnableSSL = 0:

    echo "ALTER DATABASE <database> SET EnableSSL = 0;" | vsql  
    

    and remove EnableSSL=true from you connection strings

    You need to restart the database after the alter. Hope that helps

  • Hi Scott, The database is down ( could not be started after SSL cert was applied) , hence the error "Failed to initialize SSL" in the subject line. Therefore, we cannot use vsql on a down database. I am looking onto how to disable SSL on a downed database so that we could bring it up. Hope this makes sense and I hope this would benefit someone else as well. Having a down database is no fun for anyone. !

  • Jim_KnicelyJim_Knicely - Select Field - Administrator
    edited July 2018

    @colin_loghin - Which version of Vertica is this? Have you opened a Vertica Support Case yet?

  • This is vertica 8.1 . I have not opened a support case. Is this forum not worthwhile of an answer ? If i were a customer having this problem in the middle of the night , i would rather do a 2 sec. google search and find a cure rather than wake up vertica support engineers for a down vertica instance.

  • Jim_KnicelyJim_Knicely - Select Field - Administrator

    Vertica support engineers never sleep :) Ha hah!

    How are you starting the DB? With admintools? If so, can you post the output? If you aren't using admintools, can you try, then post the output?

    Can you also post the contents of the vertica.conf file? It is located in the catalog directory (i.e. the same directory that contains the vertica.log file).

    How many nodes are there in the test cluster?

  • Yes, I am starting the DB with admintools. It is a 1 node test database. The output from vertica.log ( i dont see anything relevant in admintools.log ) has been posted in the first comment of this post. vertica.conf is empty because the parameters are now read from the catalog and anything added into vertica.conf is ignored.

  • Any vertica experts here on this forum ? There must be a way to disable SSL on a downed database.

  • Jim_KnicelyJim_Knicely - Select Field - Administrator
    edited August 2018

    @colin_loghin - Send me your email address and I will help you.

    My email address is james.knicely@microfocus.com.

  • Jim_KnicelyJim_Knicely - Select Field - Administrator
    edited August 2018

    @colin_loghin - Do you have a valid SSLPrivateKey and SSLCertificate info in files?

    If so, you can change the DB settings via admintools:

    [dbadmin@s18384357 ~]$ admintools -t set_ssl_params --help
    Usage: set_ssl_params [options]
    
    Options:
      -h, --help            show this help message and exit
      -d DB, --database=DB  Name of database whose parameters will be set
      -k KEYFILE, --ssl-key-file=KEYFILE
                            Path to SSL private key file
      -c CERTFILE, --ssl-cert-file=CERTFILE
                            Path to SSL certificate file
      -a CAFILE, --ssl-ca-file=CAFILE
                            Path to SSL CA file
      -p DBPASSWORD, --password=DBPASSWORD
                            Database password in single quotes
    

    Example:

    [dbadmin@s18384357 ~]$ admintools -t set_ssl_params -k server.key -d test_db
    Success. Change committed on a quorum of nodes.
    
  • Jim_KnicelyJim_Knicely - Select Field - Administrator
    edited August 2018

    Fyi... You can also clear the parameter with admintools.

    Example:

    I have the SSLPrivateKey param set:

    [dbadmin@s18384357 ~]$ vsql -c "SELECT left(current_value, 25) FROM configuration_parameters WHERE parameter_name = 'SSLPrivateKey';"
               left
    ---------------------------
     -----BEGIN RSA PRIVATE KE
    (1 row)
    

    Now I will clear it! First I will shut down the DB so that I am in a similar situation as you (Downed node).

    [dbadmin@s18384357 ~]$ admintools -t stop_db -d test_db
    Info: no password specified, using none
            Connecting to database
            Issuing shutdown command to database
    Database test_db stopped successfully
    

    I created an empty file called clear_server.key. I will use that to clear the SSLPrivateKey Vertica parameter...

    [dbadmin@s18384357 ~]$ cat clear_server.key
    
    [dbadmin@s18384357 ~]$ admintools -t set_ssl_params -k clear_server.key -d test_db
    Success. Change committed on a quorum of nodes.
    
    [dbadmin@s18384357 ~]$ admintools -t start_db -d test_db
    Info: no password specified, using none
            Starting nodes:
                    v_test_db_node0001 (74.208.100.58)
            Starting Vertica on all nodes. Please wait, databases with a large catalog may take a while to initialize.
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (DOWN)
            Node Status: v_test_db_node0001: (UP)
    Database test_db: Startup Succeeded.  All Nodes are UP
    
    [dbadmin@s18384357 ~]$ vsql -c "SELECT left(current_value, 25) FROM configuration_parameters WHERE parameter_name = 'SSLPrivateKey';"
     left
    ------
    
    (1 row)
    

    It's cleared!

    Clearing that parameter should let you start the DB.

  • This was the solution i was looking for. Tried it with single node cluster and worked well. Hope it works also for multi-node. Thank you Jim.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file