mysql master master replication with ssl encryption

Lets assume the two servers to be serverA and serverB

**Create the certificates to use with mysql replication:**

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem


The common name must be different for two certificates, or it will not work.

Create the Certificates for ServerA :

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout servera-key.pem > servera-req.pem

openssl x509 -req -in servera-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > servera-cert.pem

Now Create the Certificates for ServerB:

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout serverb-key.pem > serverb-req.pem

openssl x509 -req -in serverb-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > serverb-cert.pem

Copy ca-* and each server’s respective keys  to each server.

Now Configure each Server:



If the user already exists:

GRANT USAGE ON . TO 'slave_user'@'%' REQUIRE SSL;

Flush privileges;

Add the following parameters under [mysqld] section of /etc/my.cnf

vi /etc/my.cnf

ssl ssl-ca=/path/to/ca-cert.pem ssl-cert=/path/to//servera-cert.pem ssl-key=/path/to//servera-key.pem


GRANT REPLICATION SLAVE ON . TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL; Flush privileges;

**Add the following parameters under [mysqld] section of my.cnf :**


vi /etc/my.cnf ssl ssl-ca=/path/to/ca-cert.pem ssl-cert=/path/to/serverb-cert.pem ssl-key=/path/to//serverb-key.pem

Adjust your other replication parameters as usual, or see my post for mysql master master replication for information on how to setup master/master replication

Now on each server run the following command on mysql console :

CHANGE MASTER TO MASTER_HOST=’master_ip’, MASTER_USER=’slave_user’, MASTER_PASSWORD=’slave_password’, MASTER_LOG_FILE=’log_file_name’, MASTER_LOG_POS=’master_log_position’, MASTER_SSL=1, MASTER_SSL_CA = ‘/path/to/ca-cert.pem’, MASTER_SSL_CERT = ‘/path/to/servera(b)-cert.pem’, MASTER_SSL_KEY = ‘/path/to/servera(b)-key.pem’;

start slave; show slave status\G;

You now have the ssl encrypted mysql replication.

**Issues & Troubleshooting : **

The main issue with SSL based replication / connection is the problems with certificates. You should carefully follow the steps to make sure that SSL replication  works. In case the replication does not work , here are few things to check :

- Make sure SELINUX is disabled , or configure it to let mysql have ssl enabled.
- Verify that MySQL has SSL Enabled  You  can verify that by :

 mysql –e “show variables like ‘%ssl%’”

- Use packet capture utility like ngrep to verify that there is no SSL handshake problem. If you see bad Handshake in the capture, your SSL Certificates are not right.

For any other issues, or suggestions please shoot me an email at [](  and I will get back to you at my earliest convenience.

Thank you