Maxscale: maxctrl error when admin_ssl parameters are set in maxscale.cnf

Question

System:

• Maxscale 2.5.9
• Ubuntu 20.04

In order to access the Web AdminGUI my maxsclale.cnf file looks like this:

[maxscale]
threads=auto
admin_host=0.0.0.0
admin_secure_gui=1
admin_auth=1
admin_enabled=1
admin_gui=1
admin_ssl_key=/etc/ssl/certs/maxscale-key.pem
admin_ssl_cert=/etc/ssl/certs/maxscale-cert.pem
admin_ssl_ca_cert=/etc/ssl/certs/ca-certificates.crt

[...all other configuration..]

With this configuration I can access the Web-AdminGUI on port 8989 from the internal ip address (not 127.0.0.1) by browser. The SSL key/certs are self-signed .

BUT When using the command line like:

maxctrl list servers

I get the following error:

Error: Error: socket hang up

When I remove or comment out the lines with the admin_ssl_XXX parameters and restart maxscale, command line works again, but of course the Web-AdminGUI does not.

I tried with various SSL certificate creations (also the one that is listed on the mariadb.com-Website https://mariadb.com/docs/security/encryption/in-transit/create-self-signed-certificates-keys-openssl/#create-self-signed-certificates-keys-openssl), the issue remains.

No errors in the maxscale.log whatsoever.

What is the best way to debug this issue? Or do you have by any chance the right answer at hand?

YOUR help is greatly appreciated!

BR. Martin

Answer 1

You should use maxctrl --secure to encrypt the connections used by it.

Since you are using self-signed certificates, you have to also specify the CA certificate with --tls-ca-cert=/etc/ssl/certs/ca-certificates.crt if it's not installed in the system certificate store.

In addition, you probably need to use --tls-verify-server-cert=false to disable any warnings about self-signed certificates.