TLS Error When Syncing TiDB to Downstream Serverless TiDB Using CDC

Translated
1

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: cdc 同步tidb到下游的serverless tidb时候 tls 报错

| username: 天下无贼

[TiDB Usage Environment] Production Environment / Testing / Poc
[TiDB Version] 7.1.2 syncing with 6.6.0
[Reproduction Path] cdc cli changefeed create
–server=http://192.168.187.4:8300
–sink-uri=“mysql://${user}:${password}@${host}:4000/”
–changefeed-id=“simple-replication-task”
[Encountered Issue: Issue Phenomenon and Impact] Error: [CDC:ErrMySQLConnectionError] fail to open MySQL connection: Error 1105 (HY000): Connections using insecure transport are prohibited. See https://docs.pingcap.com/tidbcloud/secure-connections-to-serverless-tier-clusters
[Resource Configuration]
[Attachment: Screenshot/Logs/Monitoring]

2
| username: 天下无贼 | Original post link

How to create a public key for this TLS?

3
| username: 天下无贼 | Original post link

Resolved

4
| username: Jellybean | Original post link

Please post your solution and the steps you took to resolve the issue, so that other members can refer to it in the future.

5
| username: dba远航 | Original post link

Connection configuration issue

6
| username: 江湖故人 | Original post link

When logging into serverless, you must configure TLS. Refer to the official documentation to download the root certificate, and then add the ssl-ca parameter in the URI to specify the root certificate directory when creating the changefeed.

7
| username: 天下无贼 | Original post link

The image is not visible. Please provide the text content for translation.

8
| username: 天下无贼 | Original post link

Yesterday there were no errors, but now it keeps reporting that it can’t find the directory or file after downloading the CA. It’s strange because it was working fine yesterday, and the directory and file do exist. I even gave it 777 permissions and configured the parameter ?ssl-ca=/data/app/tidb/ca-bundle.pem. It’s really weird.

9
| username: 天下无贼 | Original post link

Could you please take a look at the following image? The items exist, so why does CDC say it can’t find the file or directory?

10
| username: 小龙虾爱大龙虾 | Original post link

Each CDC node must have this file.

11
| username: TIDB-Learner | Original post link

I haven’t used TiDB Cloud or TiDB Serverless yet.

12
| username: TIDB-Learner | Original post link

This topic is about access permission issues, specifically not having sufficient permissions to access the specified database. To resolve the TLS handshake failure, the client lacks the root certificate and cannot verify the integrity and authenticity of the certificate chain. In this case, the certificate chain cannot be trusted, even if the client has the intermediate certificate. To establish a trusted TLS connection, the client needs to have the complete certificate chain, including the root certificate, intermediate certificates, and leaf certificates.

13
| username: dba远航 | Original post link

You checked the file on machine 02, but the error should be on machine 10.4. It seems like you checked the wrong machine. Check if the file exists on machine 10.4.

14
| username: 天下无贼 | Original post link

Wait until it’s completely resolved.

15
| username: 天下无贼 | Original post link

Thank you very much, it indeed works by copying it over. After exporting with dumpling and importing into the serverless TiDB cluster with loader, it asks to add a certificate. However, there is no parameter for adding a certificate in the loader’s parameters.

16
| username: 天下无贼 | Original post link

Connections using insecure transport are prohibited.

17
| username: 小龙虾爱大龙虾 | Original post link

Using the Lightning tool, the Lightning tool has

18
| username: 天下无贼 | Original post link

tidb-lighting tool, right?

19
| username: 天下无贼 | Original post link

Thanks, Little Lobster Loves Big Lobster

20
| username: Jellybean | Original post link

I saw you marked it as solved earlier.

Is it OK now using the tidb-lighting tool?