mysql master master replication with ssl encryption

Lets assume the two servers to be serverA and serverB

Create the certificates to use with mysql replication:

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

Note:

The common name must be different for two certificates, or it will not work.

Create the Certificates for ServerA :

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout servera-key.pem > servera-req.pem
openssl x509 -req -in servera-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > servera-cert.pem

Now Create the Certificates for ServerB:

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout serverb-key.pem > serverb-req.pem
openssl x509 -req -in serverb-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > serverb-cert.pem

Copy ca-* and each server’s respective keys  to each server.

Now Configure each Server:

ServerA:

GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL;

If the user already exists:

GRANT USAGE ON *.* TO 'slave_user'@'%' REQUIRE SSL;
Flush privileges;

Add the following parameters under [mysqld] section of /etc/my.cnf

vi /etc/my.cnf
ssl
ssl-ca=/path/to/ca-cert.pem
ssl-cert=/path/to//servera-cert.pem
ssl-key=/path/to//servera-key.pem

ServerB:

GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL;
Flush privileges;

Add the following parameters under [mysqld] section of my.cnf :

vi /etc/my.cnf

ssl
ssl-ca=/path/to/ca-cert.pem
ssl-cert=/path/to/serverb-cert.pem
ssl-key=/path/to//serverb-key.pem

 

Adjust your other replication parameters as usual, or see my post for mysql master master replication for information on how to setup master/master replication

Now on each server run the following command on mysql console :

CHANGE MASTER TO MASTER_HOST='master_ip', MASTER_USER='slave_user', MASTER_PASSWORD='slave_password', MASTER_LOG_FILE='log_file_name', MASTER_LOG_POS='master_log_position', MASTER_SSL=1, MASTER_SSL_CA = '/path/to/ca-cert.pem', MASTER_SSL_CERT = '/path/to/servera(b)-cert.pem', MASTER_SSL_KEY = '/path/to/servera(b)-key.pem';

 

start slave; show slave status\G;

You now have the ssl encrypted mysql replication.

Issues & Troubleshooting :

The main issue with SSL based replication / connection is the problems with certificates. You should carefully follow the steps to make sure that SSL replication  works. In case the replication does not work , here are few things to check :

  • Make sure SELINUX is disabled , or configure it to let mysql have ssl enabled.
  • Verify that MySQL has SSL Enabled  You  can verify that by :
    mysql –e “show variables like ‘%ssl%’”
  • Use packet capture utility like ngrep to verify that there is no SSL handshake problem. If you see bad Handshake in the capture, your SSL Certificates are not right.

For any other issues, or suggestions please shoot me an email at amit@amitnepal.com  and I will get back to you at my earliest convenience.

Thank you

Amit