MySQL Forums
Forum List  »  Security

Trying to get SSL working with replication
Posted by: Rik Hennema
Date: February 06, 2009 01:20AM

Hi all,

I'm using version 5.0 of MySQL and am trying to set up replication over SSL. I have replication working already so that is set up fine.

I have created a CA and used it to create a server certificate. Then I created a client certificate. I installed the server certificate, along with the key and CA file on the master and also installed the appropriate files on the slave.

When I issue the new 'CHANGE MASTER TO' statement on the slave, giving it the SSL options it needs, and then type 'START SLAVE', replication won't happen.

In the master logfile (syslog, I believe), I see the following:

--
Feb 5 16:34:14 server1-desktop mysqld_safe[12442]: started
Feb 5 16:34:14 server1-desktop kernel: [76481.558013] audit(1233848054.033:25): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/etc/mysql/ssl/ca-cert.pem" pid=12444 profile="/usr/sbin/mysqld" namespace="default"
Feb 5 16:34:14 server1-desktop kernel: [76481.559078] audit(1233848054.033:26): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/etc/mysql/ssl/server-cert.pem" pid=12444 profile="/usr/sbin/mysqld" namespace="default"
Feb 5 16:34:14 server1-desktop mysqld[12446]: SSL error: Unable to get certificate from '/etc/mysql/ssl/server-cert.pem'
Feb 5 16:34:14 server1-desktop mysqld[12446]: 090205 16:34:14 [Warning] Failed to setup SSL
Feb 5 16:34:14 server1-desktop mysqld[12446]: 090205 16:34:14 InnoDB: Started; log sequence number 0 435919855
Feb 5 16:34:14 server1-desktop mysqld[12446]: 090205 16:34:14 [Note] /usr/sbin/mysqld: ready for connections.
Feb 5 16:34:14 server1-desktop mysqld[12446]: Version: '5.0.51a-3u
--

Does this mean that there is something wrong with my certificate or can it also have to do with MySQL configuration? The certificate is on the right place and the rights are ok (rw-rw-rw-) (write access is of course not needed).

Is there a way to check if server and client certificate match with eachother if you put them on the same machine?

Is there a way to make MySQL more verbose about what went wrong?

Hopefully someone can point me in the right direction.

Kind regards,
Rik.



Edited 1 time(s). Last edit at 02/06/2009 01:22AM by Rik Hennema.

Options: ReplyQuote


Subject
Views
Written By
Posted
Trying to get SSL working with replication
5322
February 06, 2009 01:20AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.