MySQL 配置ssl主从同步

　　

 

 

1. 配置CA server（master上）
   

   /etc/pki/tls/openssl.cnf
   
   dir=/etc/pki/CA

    

   cd /etc/pki/CA

   touch index.txt

   echo 01 > serial

    

   

    

    

   (umask 066;openssl genrsa -out private/cakey.pem 2048)

   openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650  # cacert.pem必须放在此处,否则报下图错误

   

    

    

    

    自签CA的私钥位于/etc/pki/CA/private/cakey.pem
   

    

    

   

    

    证书位于 /etc/pki/CA/cacert.pem
   
   

    

    

    
   都在/etc/pki/tls/openssl.cnf有默认定义
   
   

   至此 CA的私钥， 证书已生成
   
   
   
2. 制作master私钥和证书
   

   mkdir /var/lib/mysql/ssl

   cd /var/lib/mysql/ssl

   (umask 066;openssl genrsa 2048 > master.key)

   openssl req -new -key master.key -out master.csr

   openssl ca -in master.csr -out master.crt -days 3650
   
   cp /etc/pki/CA/cacert.pem /usr/lib/mysql/ssl

   chown -R mysql.mysql /var/lib/mysql/ssl

   

    

    

3. 制作slave1私钥和证书
   

   cd /etc/pki/CA
   
   mkdir csr
   
   (umask 066;openssl genrsa 2048 > private/slave1.key)
   
   openssl req -new -key private/slave1.key -out csr/slave1.csr
   
   openssl ca -in csr/slave1.csr -out certs/slave1.crt -days 3650
   
   rsync certs/slave1.crt private/slave1.key cacert.pem slave1:/var/lib/mysql/ssl

    

   * 别忘记到slave1主机更改相关权限
   
   
4. 查看ssl相关变量
   

    

    

5.  

   创建用户
   

   grant replication slave,replication client on *.* to replica@'%' require ssl;

    

6. 配置slave
   
   

   change replication source to
   source_host='master',
   source_user='replica',
   source_passowrd='replica',
   source_log_file='binlog.000001',
   source_log_pos=156,
   source_ssl=1,
   source_ssl_ca='ssl/cacert.pem',
   source_ssl_cert='ssl/slave1.crt',
   source_ssl_key='ssl/slave1.key';