社区版ssl配置不成功

OceanBase 技术问题
#1

【 使用环境 】测试环境
【 OB or 其他组件 】
【 使用版本 】oceanbase/oceanbase-ce 4.3.5-lts
【问题描述】启用ssl,报key and cert not match,查看日志,提示找不到文件
【复现路径】部署脚本:

docker run -d \
  --name oceanbase-container \
  -p 2881:2881 \
  -p 2882:2882 \
  -p 2883:2883 \
  -v /home/program/ssl:/home/admin/oceanbase/wallet \
  -e SQL_MODE="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" \
  -e MYSQL_ROOT_PASSWORD=root_password \
  -e OB_CLUSTER_NAME=test-cluster \
  -e OB_MYSQL_PORT=2881 \
  -e OB_RPC_PORT=2882 \
  -e OB_DATA_DIR=/home/admin/oceanbase/store \
  -e ENABLE_SSL=true \
  quay.io/oceanbase/oceanbase-ce:4.3.5-lts

证书目录:

image
image705×371 10.8 KB

另外在根目录也创建了日志目录:/root/wallet,也不行
image

【附件及日志】见附件

image
image1620×586 69.9 KB

observer.tar.gz (24.4 MB)

#3

你是根据这个文档 开启的么?按照文档的检查 发一下信息
https://www.oceanbase.com/docs/common-oceanbase-database-cn-1000000002013027

1 个赞
#4

社区版不支持这个命令:ssl_external_kms_info

1 个赞
#5

麻烦按照文档检查一下 开启情况 发一下

#6

按文档的步骤操作的,无法启用证书
[root@8cad4d8f5dc4 ~]# ls -l /home/admin/oceanbase/wallet/
total 60
drwx------ 2 root root 4096 May 27 11:58 CAs
-rw-r–r-- 1 root root 1704 May 21 02:17 ca.key
-rw-r–r-- 1 root root 1415 Jun 12 09:22 ca.pem
-rw-r–r-- 1 root root 1415 May 21 02:18 ca_cert.pem
-rw-r–r-- 1 root root 1322 Jun 12 01:56 influxdb-server.crt
-rw-r–r-- 1 root root 1704 Jun 12 01:56 influxdb-server.key
-rw-r–r-- 1 root root 1704 May 28 01:17 private.key
-rw-r–r-- 1 root root 1322 May 28 01:17 public.crt
-rw-r–r-- 1 root root 1322 Jun 12 09:22 server-cert.pem
-rw-r–r-- 1 root root 1704 Jun 12 09:22 server-key.pem
-rw-r–r-- 1 root root 1322 May 21 07:49 server.crt
-rw-r–r-- 1 root root 993 May 21 02:16 server.csr
-rw-r–r-- 1 root root 1704 May 21 02:16 server.key
-rw-r–r-- 1 root root 2732 May 21 08:55 server.p12
-rw-r–r-- 1 root root 1318 May 21 08:56 truststore.jks
[root@8cad4d8f5dc4 ~]# obclient -h127.0.0.1 -P2881 -uroot@sys -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3221507013
Server version: OceanBase_CE 4.3.5.1 (r101000042025031818-b6d5706eb3d2c5f501c7fa646ddbf32f3dc87069) (Built Mar 18 2025 18:13:36)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient(root@sys)[(none)]> ALTER SYSTEM SET ssl_external_kms_info = ‘{“ssl_mode”:“file”}’;
ERROR 1235 (0A000): Not supported feature or function
[10.247.25.2:2882] [2025-06-13 08:03:41.797506] [YB420AF71902-0006376F7AE67E52-0-0]
obclient(root@sys)[(none)]> ALTER SYSTEM SET sql_protocol_min_tls_version = ‘TLSv1.1’;
Query OK, 0 rows affected (0.050 sec)

obclient(root@sys)[(none)]> ALTER SYSTEM SET ssl_client_authentication = ‘TRUE’;
ERROR 4147 (HY000): key and cert not match
[10.247.25.2:2882] [2025-06-13 08:04:06.968087] [YB420AF71902-0006376F7AE67EBC-0-0]
obclient(root@sys)[(none)]>

1 个赞
#7

show parameters like ‘ssl_client_authentication’; 你查一下 这个配置项

1 个赞
#8

这样

image
image1874×906 39.4 KB

#9

这个不匹配 基本上是读取不到 才会有这个问题

#10

路径不是/home/admin/oceanbase/wallet吗,怎么会读不到呢,证书其他服务也用了,可以正常使用