[Bug 1227311] New: Upgrade of mariadb from 11.2.3 to 11.4.2 will fail if ssl can't be verified.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1227311 Bug ID: 1227311 Summary: Upgrade of mariadb from 11.2.3 to 11.4.2 will fail if ssl can't be verified. Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: silentworks@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- The recent release of mariadb-11.4.2 creates a quite annoying issue, the installation script will create /var/lib/misc/.mariadb_run_upgrade, since a mysql_upgrade should be done with the version change. The next time systemd tries to start mariadb /usr/libexec/mysql/mysql-systemd-helper sees that .mariadb_run_upgrade exists, and that enables the upgrade flag. Here comes the problem, since mariadb 11.3 the upgrade function has ssl verification enabled by default. So if the mariadb server has any self-signed cert, any custom cert, or the hostname doesn't match, the verification will fail. And hence the upgrade and the script will fail. mysql_upgrade will refuse the connection, and the script isn't designed to handle this. --disable-ssl-verify-server-cert should be passed by default in the script In line 119: "if /usr/bin/mysql_upgrade --disable-ssl-verify-server-cert" And i don't know if the mysqladmin behaves in he same way (didn't check). I think in some situations the .mariadb_run_upgrade may not be deleted too, even if the upgrade finished, that could cause a loop that will cause the upgrade script to run everytime mariadb is started from systemd, which is what happened to me and i had to delete the .mariadb_run_upgrade manually, but i'm not sure why. (i did the upgrade manually afterwards) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com