MySQL Bugs: #108917: bootstrapping mysqlrouter with certificate authentication issues

Bug #108917	bootstrapping mysqlrouter with certificate authentication issues
Submitted:	28 Oct 2022 13:33	Modified:	31 Oct 2022 15:07
Reporter:	Jay Janssen	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Router	Severity:	S3 (Non-critical)
Version:	8.0.31	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
I am attempting to use a user using certificate based authentication to bootstrap multiple mysql routers to route for my cluster.  The command line looks like this:

```
mysqlrouter --ssl-mode=VERIFY_CA --ssl-ca=/etc/ods/certs/ca.pem --ssl-key=/etc/ods/certs/config-jaytest-development-001.key --ssl-cert=/etc/ods/certs/config-jaytest-development-001.crt --bootstrap config:@10.160.132.207 --account-create if-not-exists --account router --report-host 10.160.132.207 --name i-0799b665af618c460 --user mysqlrouter --conf-set-option=DEFAULT.max_connect_errors=4294967295 --conf-set-option=DEFAULT.client_ssl_mode=PASSTHROUGH
```

I am prompted for a password for my config user (https://bugs.mysql.com/bug.php?id=108849), but I just hit enter there.  I am also prompted for my router user password, which I send.  

When I run this against a single node cluster, it seems to work perfectly, here is the output:

```
Bootstrapping mysql router locally
Please enter MySQL password for config:
# Bootstrapping system MySQL Router instance...

Please enter MySQL password for router:
- Creating account(s) (only those that are needed, if any)
- Verifying account (using it to run SQL queries that would be run by Router)
- Storing account in keyring
- Adjusting permissions of generated files
- Creating configuration /etc/mysqlrouter/mysqlrouter.conf

Existing configuration backed up to '/etc/mysqlrouter/mysqlrouter.conf.bak'

# MySQL Router 'i-0e170ee18cb1ce84b' configured for the ClusterSet 'jaytest-development-001'
```

This router seems fine.  However, I am getting an error trying to bootstrap a second router.  This is also after a second node joins my cluster.  The command line is identical to the first, except the ip address in the bootstrap uri and report-host, and the --name flag.  

```
Please enter MySQL password for config:
# Bootstrapping system MySQL Router instance...

Please enter MySQL password for router:
Fetching Cluster Members
trying to connect to mysql-server at 10.160.133.198:3306
Failed connecting to 10.160.133.198:3306: Error connecting to MySQL server at 10.160.133.198:3306: Access denied for user 'config'@'10.160.132.207' (using password: NO) (1045), trying next
trying to connect to mysql-server at 10.160.132.207:3306
Failed connecting to 10.160.132.207:3306: Error connecting to MySQL server at 10.160.132.207:3306: Access denied for user 'config'@'10.160.132.207' (using password: NO) (1045), trying next
trying to connect to mysql-server at 10.160.132.35:3306
Failed connecting to 10.160.132.35:3306: Error connecting to MySQL server at 10.160.132.35:3306: Access denied for user 'config'@'10.160.132.207' (using password: NO) (1045), trying next
Error: no more nodes to fail-over too, giving up.
```

I can confirm I can connect to those ip addresses with the config user using mysqlsh, so it is not a grant issue.  From the same host:

```
mysqlsh -u config --no-password --ssl-mode=VERIFY_CA --ssl-ca=/etc/ods/certs/ca.pem --ssl-key=/etc/ods/certs/config-jaytest-development-001.key --ssl-cert=/etc/ods/certs/config-jaytest-development-001.crt config@10.160.132.207:3306
MySQL Shell 8.0.31

Copyright (c) 2016, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Type '\help' or '\?' for help; '\quit' to exit.
Creating a session to 'config@10.160.132.207:3306?ssl-ca=%2Fetc%2Fods%2Fcerts%2Fca.pem&ssl-cert=%2Fetc%2Fods%2Fcerts%2Fconfig-jaytest-development-001.crt&ssl-key=%2Fetc%2Fods%2Fcerts%2Fconfig-jaytest-development-001.key&ssl-mode=verify_ca'
Fetching schema names for auto-completion... Press ^C to stop.
Your MySQL connection id is 581
Server version: 8.0.31 MySQL Community Server - GPL
No default schema selected; type \use <schema> to set one.
 MySQL  10.160.132.207:3306 ssl  JS >
```

I suspect that router is not sending the certificate information properly in this mode for some reason.

I did find a workaround to use the existing router user that seems to work:

```[root@ip-10-160-132-207 ~]# mysqlrouter --bootstrap router@10.160.132.207 --account-create never --account router --report-host 10.160.132.207 --name i-0799b665af618c460 --user mysqlrouter --conf-set-option=DEFAULT.max_connect_errors=4294967295 --conf-set-option=DEFAULT.client_ssl_mode=PASSTHROUGH --force
Please enter MySQL password for router:
# Bootstrapping system MySQL Router instance...

Please enter MySQL password for router:
Fetching Cluster Members
trying to connect to mysql-server at 10.160.133.198:3306
- Verifying account (using it to run SQL queries that would be run by Router)
- Storing account in keyring
- Adjusting permissions of generated files
- Creating configuration /etc/mysqlrouter/mysqlrouter.conf

Existing configuration backed up to '/etc/mysqlrouter/mysqlrouter.conf.bak'

# MySQL Router 'i-0799b665af618c460' configured for the ClusterSet 'jaytest-development-001'

After this MySQL Router has been started with the generated configuration

    $ /etc/init.d/mysqlrouter restart
or
    $ systemctl start mysqlrouter
or
    $ mysqlrouter -c /etc/mysqlrouter/mysqlrouter.conf

ClusterSet 'jaytest-development-001' can be reached by connecting to:

## MySQL Classic protocol

- Read/Write Connections: 10.160.132.207:6446
- Read/Only Connections:  10.160.132.207:6447

## MySQL X protocol

- Read/Write Connections: 10.160.132.207:6448
- Read/Only Connections:  10.160.132.207:6449
```

How to repeat:
it's complicated

Hi Jay,

Thanks for the report. I managed to reproduce the behavior.