Seeking Help with TiDB Cluster Certificate Issues

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb集群证书问题求助

| username: 月明星稀

After enabling enable_tls: true, TiKV and PD each have their own certificate, and there is another certificate displayed by tiup.

The information from tiup cluster display xxxxX is as follows:
Cluster type: tidb
Cluster name: xxxxX
Cluster version: v6.5.0
Deploy user: tikvxxxx
SSH type: builtin
TLS encryption: enabled
CA certificate: /root/.tiup/storage/cluster/clusters/xxxxX/tls/ca.crt
Client private key: /root/.tiup/storage/cluster/clusters/X/tls/client.pem
Client certificate: /root/.tiup/storage/cluster/clusters/X/tls/client.crt

  1. What are the purposes of these three certificates?
  2. What values should be configured for the cert-allowed-cn in TiKV and PD?
| username: caiyfc | Original post link

  1. When using peripheral tools, you need to use these certificates: Column - The Trials and Tribulations of TLS Encrypted Communication in TiDB Production Clusters - Tools Edition | TiDB Community
  2. After the cluster has enabled TLS, the certificate-related configurations are already written in the configuration files. You can check the configuration files on the TiKV and PD nodes.
| username: 月明星稀 | Original post link

Could you please help explain how to configure the cert-allowed-cn setting? I configured the CN of the PD certificate in the TiKV configuration and the CN of the TiKV certificate in the PD configuration, but I found that PD still rejects TiKV’s requests. Thank you very much.

| username: caiyfc | Original post link

How about trying to configure it like this?

| username: Anna | Original post link

If you use cfssl, you must use the same CA (Certification Authority) as the original cluster. You need to follow steps 5 to 7 in the Issuing Certificates Using the cfssl System documentation to complete the certificate issuance between components of the new cluster.

| username: Anna | Original post link

tikv-ctl provides the following two operating modes:

  • Remote mode. Accepts the TiKV service address as a parameter through the --host option. In this mode, if TiKV has SSL enabled, tikv-ctl also needs to specify the relevant certificate files, for example:
tikv-ctl --ca-path ca.pem --cert-path client.pem --key-path client-key.pem --host <subcommands>

In some cases, tikv-ctl communicates with PD instead of TiKV. In this case, you need to use the --pd option instead of the --host option, for example:

tikv-ctl --pd compact-cluster
store:"" compact db:KV cf:default range:([], []) success!
  • Local mode:
    • Use the --data-dir option to specify the directory path of the local TiKV data.
    • Use the --config option to specify the path to the local TiKV configuration file. In this mode, you need to stop the running TiKV instance.

Unless otherwise specified, all commands support both modes.

Additionally, tikv-ctl has two simple commands --to-hex and --to-escaped for simple transformations of key forms. Generally, the escaped form is used, as shown below:

tikv-ctl --to-escaped 0xaaff
tikv-ctl --to-hex "\252\377"


When specifying the escaped form of the key on the command line, you need to enclose it in double quotes, otherwise bash will eat the backslashes, resulting in an error.

| username: Anna | Original post link

There is actually such a document: 生成自签名证书 | PingCAP 文档中心

| username: 月明星稀 | Original post link

Does PD not have the cert-allowed-cn command? Will it prompt an authentication error when enabled?

| username: redgame | Original post link

I’ll write a part of it, tikv’s cert-allowed-cn:
It can be configured as the hostname, host IP, or DNS name of the PD server.
This setting is used to control the TiKV connection to the PD server. The connection will only be trusted if the server’s hostname or IP matches this configuration.

| username: 月明星稀 | Original post link

Ask again, if PD also needs to verify the client’s identity, how should it be configured? Thanks!!!