Increase Galera self-signed SSL CA expiration

Currently we generate the CA certificate with default expiration time (30 days), while both CSR and signed certificates are set to expire in 3650 days. If a Galera service is restarted after 30 days, replication breaks due to expired CA certificate. Increasing the CA certificate expiration to 3650 days resolves the issue and makes expiration consistent between the certificates. Change-Id: Ibf5ca5c0504b681b8c6d8c3aae44b2039bd47ece
2018-12-10 14:46:22 -08:00 · 2018-12-10 14:46:22 -08:00 · 30bdc809bb
parent 4b3df86bab
commit 30bdc809bb
1 changed files with 1 additions and 0 deletions
--- a/tasks/galera_ssl_self_signed.yml
+++ b/tasks/galera_ssl_self_signed.yml
@ -30,6 +30,7 @@
  command: >
    openssl req -new -nodes -x509 -subj
    "{{ galera_ssl_ca_self_signed_subject }}"
+    -days 3650
    -keyout {{ galera_ssl_key | dirname }}/galera-ca.key
    -out {{ galera_ssl_ca_cert }}
    creates={{ galera_ssl_ca_cert }}