Bug ID 1227311
Summary Upgrade of mariadb from 11.2.3 to 11.4.2 will fail if ssl can't be verified.
Classification openSUSE
Product openSUSE Tumbleweed
Version Slowroll
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee screening-team-bugs@suse.de
Reporter silentworks@gmail.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

The recent release of mariadb-11.4.2 creates a quite annoying issue, the
installation script will create /var/lib/misc/.mariadb_run_upgrade, since a
mysql_upgrade should be done with the version change.

The next time systemd tries to start mariadb
/usr/libexec/mysql/mysql-systemd-helper sees that .mariadb_run_upgrade exists,
and that enables the upgrade flag.

Here comes the problem, since mariadb 11.3 the upgrade function has ssl
verification enabled by default.

So if the mariadb server has any self-signed cert, any custom cert, or the
hostname doesn't match, the verification will fail. And hence the upgrade and
the script will fail.

mysql_upgrade will refuse the connection, and the script isn't designed to
handle this.

--disable-ssl-verify-server-cert should be passed by default in the script

In line 119: "if /usr/bin/mysql_upgrade --disable-ssl-verify-server-cert"


And i don't know if the mysqladmin behaves in he same way (didn't check).

I think in some situations the .mariadb_run_upgrade may not be deleted too,
even if the upgrade finished, that could cause a loop that will cause the
upgrade script to run everytime mariadb is started from systemd, which is what
happened to me and i had to delete the .mariadb_run_upgrade manually, but i'm
not sure why. (i did the upgrade manually afterwards)

You are receiving this mail because: