Fix TLS verify error when gh-ost discovers the replication master (#1487)

* Update connection.DuplicateCredentials function to set correct ServerName property

Ensure the ServerName TLS property matches the new connection
instance key hostname to avoid TLS verify errors like the following:

2025-01-02 02:07:26 FATAL tls: failed to verify certificate: x509: certificate is valid for [old host], not [new host]

This is only one part of the fix for this issue. The second part,
registering TLS Config with the mysql driver, will come in
subsequent commits.

* Use connection.DuplicateCredentials in cases where the connection key changes

* Extract TLS config key name generation to GetDBTLSConfigKey function

* Extract function to register a connection's TLS config with the mysql driver

This allows us to register TLS configuration is the various places
where connection configs are created and before they're used.

* Register TLS config when setting up master connection info

This ensures that the master's TLS config has been registered with
the mysql driver before any connections are attempted.

This is the second part of resolving the following TLS verify
error:

2025-01-02 02:07:26 FATAL tls: failed to verify certificate: x509: certificate is valid for [old host], not [new host]

* Register TLS config when setting up the throttler's connection info

This ensures that the throttler's TLS config has been registered with
the mysql driver before any connections are attempted.

This is the second part of resolving the following TLS verify
error:

2025-01-02 02:07:26 FATAL tls: failed to verify certificate: x509: certificate is valid for [old host], not [new host]

---------

Co-authored-by: meiji163 <meiji163@github.com>

Author: petervandoros

Diff for: go/logic/migrator.go

@@ -791,6 +791,9 @@ func (this *Migrator) initiateInspector() (err error) {
 		if this.migrationContext.CliMasterPassword != "" {
 			this.migrationContext.ApplierConnectionConfig.Password = this.migrationContext.CliMasterPassword
 		}
+		if err := this.migrationContext.ApplierConnectionConfig.RegisterTLSConfig(); err != nil {
+			return err
+		}
 		this.migrationContext.Log.Infof("Master forced to be %+v", *this.migrationContext.ApplierConnectionConfig.ImpliedKey)
 	}
 	// validate configs

Diff for: go/logic/throttler.go

@@ -215,8 +215,10 @@ func (this *Throttler) collectControlReplicasLag() {
 		}
 		lagResults := make(chan *mysql.ReplicationLagResult, instanceKeyMap.Len())
 		for replicaKey := range *instanceKeyMap {
-			connectionConfig := this.migrationContext.InspectorConnectionConfig.Duplicate()
-			connectionConfig.Key = replicaKey
+			connectionConfig := this.migrationContext.InspectorConnectionConfig.DuplicateCredentials(replicaKey)
+			if err := connectionConfig.RegisterTLSConfig(); err != nil {
+				return &mysql.ReplicationLagResult{Err: err}
+			}
 
 			lagResult := &mysql.ReplicationLagResult{Key: connectionConfig.Key}
 			go func() {

Diff for: go/mysql/connection.go

@@ -52,6 +52,16 @@ func (this *ConnectionConfig) DuplicateCredentials(key InstanceKey) *ConnectionC
 		TransactionIsolation: this.TransactionIsolation,
 		Charset:              this.Charset,
 	}
+
+	if this.tlsConfig != nil {
+		config.tlsConfig = &tls.Config{
+			ServerName:         key.Hostname,
+			Certificates:       this.tlsConfig.Certificates,
+			RootCAs:            this.tlsConfig.RootCAs,
+			InsecureSkipVerify: this.tlsConfig.InsecureSkipVerify,
+		}
+	}
+
 	config.ImpliedKey = &config.Key
 	return config
 }
@@ -103,7 +113,20 @@ func (this *ConnectionConfig) UseTLS(caCertificatePath, clientCertificate, clien
 		InsecureSkipVerify: allowInsecure,
 	}
 
-	return mysql.RegisterTLSConfig(TLS_CONFIG_KEY, this.tlsConfig)
+	return this.RegisterTLSConfig()
+}
+
+func (this *ConnectionConfig) RegisterTLSConfig() error {
+	if this.tlsConfig == nil {
+		return nil
+	}
+	if this.tlsConfig.ServerName == "" {
+		return errors.New("tlsConfig.ServerName cannot be empty")
+	}
+
+	var tlsOption = GetDBTLSConfigKey(this.tlsConfig.ServerName)
+
+	return mysql.RegisterTLSConfig(tlsOption, this.tlsConfig)
 }
 
 func (this *ConnectionConfig) TLSConfig() *tls.Config {
@@ -122,7 +145,7 @@ func (this *ConnectionConfig) GetDBUri(databaseName string) string {
 	// simplify construction of the DSN below.
 	tlsOption := "false"
 	if this.tlsConfig != nil {
-		tlsOption = TLS_CONFIG_KEY
+		tlsOption = GetDBTLSConfigKey(this.tlsConfig.ServerName)
 	}
 
 	if this.Charset == "" {
@@ -142,3 +165,7 @@ func (this *ConnectionConfig) GetDBUri(databaseName string) string {
 
 	return fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?%s", this.User, this.Password, hostname, this.Key.Port, databaseName, strings.Join(connectionParams, "&"))
 }
+
+func GetDBTLSConfigKey(tlsServerName string) string {
+	return fmt.Sprintf("%s-%s", TLS_CONFIG_KEY, tlsServerName)
+}

Diff for: go/mysql/connection_test.go

@@ -52,7 +52,10 @@ func TestDuplicateCredentials(t *testing.T) {
 	require.Equal(t, 3310, dup.ImpliedKey.Port)
 	require.Equal(t, "gromit", dup.User)
 	require.Equal(t, "penguin", dup.Password)
-	require.Equal(t, c.tlsConfig, dup.tlsConfig)
+	require.Equal(t, "otherhost", dup.tlsConfig.ServerName)
+	require.Equal(t, c.tlsConfig.Certificates, dup.tlsConfig.Certificates)
+	require.Equal(t, c.tlsConfig.RootCAs, dup.tlsConfig.RootCAs)
+	require.Equal(t, c.tlsConfig.InsecureSkipVerify, dup.tlsConfig.InsecureSkipVerify)
 	require.Equal(t, c.TransactionIsolation, dup.TransactionIsolation)
 	require.Equal(t, c.Charset, dup.Charset)
 }
@@ -72,6 +75,7 @@ func TestDuplicate(t *testing.T) {
 	require.Equal(t, 3306, dup.ImpliedKey.Port)
 	require.Equal(t, "gromit", dup.User)
 	require.Equal(t, "penguin", dup.Password)
+	require.Equal(t, c.tlsConfig, dup.tlsConfig)
 	require.Equal(t, transactionIsolation, dup.TransactionIsolation)
 	require.Equal(t, "utf8mb4", dup.Charset)
 }
@@ -95,10 +99,17 @@ func TestGetDBUriWithTLSSetup(t *testing.T) {
 	c.User = "gromit"
 	c.Password = "penguin"
 	c.Timeout = 1.2345
-	c.tlsConfig = &tls.Config{}
+	c.tlsConfig = &tls.Config{
+		ServerName: c.Key.Hostname,
+	}
 	c.TransactionIsolation = transactionIsolation
 	c.Charset = "utf8mb4_general_ci,utf8_general_ci,latin1"
 
 	uri := c.GetDBUri("test")
-	require.Equal(t, `gromit:penguin@tcp(myhost:3306)/test?autocommit=true&interpolateParams=true&charset=utf8mb4_general_ci,utf8_general_ci,latin1&tls=ghost&transaction_isolation="REPEATABLE-READ"&timeout=1.234500s&readTimeout=1.234500s&writeTimeout=1.234500s`, uri)
+	require.Equal(t, `gromit:penguin@tcp(myhost:3306)/test?autocommit=true&interpolateParams=true&charset=utf8mb4_general_ci,utf8_general_ci,latin1&tls=ghost-myhost&transaction_isolation="REPEATABLE-READ"&timeout=1.234500s&readTimeout=1.234500s&writeTimeout=1.234500s`, uri)
+}
+
+func TestGetDBTLSConfigKey(t *testing.T) {
+	configKey := GetDBTLSConfigKey("myhost")
+	require.Equal(t, "ghost-myhost", configKey)
 }

Diff for: go/mysql/utils.go

@@ -136,8 +136,11 @@ func GetMasterConnectionConfigSafe(dbVersion string, connectionConfig *Connectio
 	if !masterKey.IsValid() {
 		return connectionConfig, nil
 	}
-	masterConfig = connectionConfig.Duplicate()
-	masterConfig.Key = *masterKey
+
+	masterConfig = connectionConfig.DuplicateCredentials(*masterKey)
+	if err := masterConfig.RegisterTLSConfig(); err != nil {
+		return nil, err
+	}
 
 	log.Debugf("%s of %+v is %+v", ReplicaTermFor(dbVersion, "master"), connectionConfig.Key, masterConfig.Key)
 	if visitedKeys.HasKey(masterConfig.Key) {