DEV-422: mariadb deactivate ssl stuff to ensure stable smardigo-ENV

4 years ago · 819a658e50
parent ea2e31cd27
commit 819a658e50
5 changed files with 23 additions and 11 deletions
--- a/roles/connect_wordpress/vars/main.yml
+++ b/roles/connect_wordpress/vars/main.yml
@ -42,7 +42,7 @@ wordpress_docker: {
        "WORDPRESS_CONFIG_EXTRA: |",
        "  define( 'WP_HOME', 'https://{{ wordpress_base_url }}' );",
        "  define( 'WP_SITEURL', 'https://{{ wordpress_base_url }}' );",
-        "  define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );",
+#        "  define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );",
        "AUTH_API: \"https://{{ shared_service_keycloak_hostname }}\"",
        "RESOURCE_API: \"https://{{ connect_base_url }}\"",
        "REALM_ID: \"{{ current_realm_name }}\"",
--- a/roles/maria/tasks/main.yml
+++ b/roles/maria/tasks/main.yml
@ -47,13 +47,21 @@
    line: 'bind-address={{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'
  notify: restart mysql

- name: "Create my.cnf containing ssl stuff"
-  template:
-    src: 50-ssl.cnf
-    dest: /etc/mysql/conf.d/
-    mode: '0644'
-    owner: root
-    group: root
+# DEV-422: SSL stuff does not work as expected
+#- name: "Create my.cnf containing ssl stuff"
+#  template:
+#    src: 50-ssl.cnf
+#    dest: /etc/mysql/conf.d/
+#    mode: '0644'
+#    owner: root
+#    group: root
+#  notify: restart mysql
+
+# DEV-422
+- name: "Ensure configured SSL config is removed"
+  file:
+    state: absent
+    path: /etc/mysql/conf.d/50-ssl.cnf
  notify: restart mysql

 - name: Ensure service is started
--- a/roles/maria/templates/50-ssl.cnf
+++ b/roles/maria/templates/50-ssl.cnf
@ -3,3 +3,5 @@ ssl_key = {{ cert_private_key }}
 ssl_cert = {{ cert_public_key }} 
 ssl_ca = {{ ca_cert }}
 ssl = on
+tls_version = TLSv1.2,TLSv1.3
+ssl_cipher = TLSv1.2,TLSv1.3
--- a/roles/restore_maria/tasks/main.yml
+++ b/roles/restore_maria/tasks/main.yml
@ -12,8 +12,8 @@
      - mariadb-server
      - mariadb-backup
    mysql_bind_address: '{{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'
-    mysql_config_include_files:
-      - src: 50-ssl.cnf
+#    mysql_config_include_files:
+#      - src: 50-ssl.cnf
  include_role:
    name: geerlingguy.mysql

@ -27,6 +27,7 @@
    tasks_from: _create_cert
  vars:
    selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
+    selfsigned_ca_cert_private_key_group: mysql
    selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
    selfsigned_ca_cacert: '{{ ca_cert }}'
    selfsigned_ca_cert_subject:
--- a/roles/restore_maria/templates/50-ssl.cnf
+++ b/roles/restore_maria/templates/50-ssl.cnf
@ -2,4 +2,5 @@
 ssl_key = {{ cert_private_key }}
 ssl_cert = {{ cert_public_key }} 
 ssl_ca = {{ ca_cert }}
-ssl = on
+tls_version = TLSv1.2,TLSv1.3
+ssl_cipher = TLSv1.2,TLSv1.3