mysql:troubleshoot_mysql_ssl_replication_problems
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| mysql:troubleshoot_mysql_ssl_replication_problems [2016/11/21 10:27] – created peter | mysql:troubleshoot_mysql_ssl_replication_problems [2020/07/15 09:30] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| * ERROR 2026 (HY000): SSL connection error: protocol version mismatch | * ERROR 2026 (HY000): SSL connection error: protocol version mismatch | ||
| - | * ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation// // Mismatch is usually because you're trying to authentication with your client certificates. | + | * ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation |
| + | |||
| + | Mismatches | ||
| <code bash> | <code bash> | ||
| mysql -utransmed_app -p --ssl-ca=/ | mysql -utransmed_app -p --ssl-ca=/ | ||
| </ | </ | ||
| - | // | + | |
| + | <WRAP notice> | ||
| You MUST use a chain cert. | You MUST use a chain cert. | ||
| + | </ | ||
| * ERROR 2003 (HY000): Can’t connect to MySQL server on ' | * ERROR 2003 (HY000): Can’t connect to MySQL server on ' | ||
| - | |||
| Some MySQL selections don't support the PKCS#8 format. | Some MySQL selections don't support the PKCS#8 format. | ||
| - | 1 | + | < |
| -----BEGIN PRIVATE KEY----- | -----BEGIN PRIVATE KEY----- | ||
| - | This occurs when keys are generated with OpenSSL 1.0+. To fix this issue you simply convert the key to PKCS#1 format: | + | </ |
| - | 1 | + | This occurs when keys are generated with OpenSSL |
| + | |||
| + | <code bash> | ||
| openssl rsa -in pkcs8-key.pem -out pkcs1-key.pem | openssl rsa -in pkcs8-key.pem -out pkcs1-key.pem | ||
| + | </ | ||
| + | |||
| You should now see: | You should now see: | ||
| - | 1 | + | < |
| -----BEGIN RSA PRIVATE KEY----- | -----BEGIN RSA PRIVATE KEY----- | ||
| - | Keep in mind you can’t just simply insert “RSA” into the PKCS#8 format. It won’t work! They’re different formats altogether. You can verify the certs/keys: | + | </code> |
| - | 1 | + | Keep in mind you can't just simply insert “RSA” into the PKCS#8 format. |
| + | |||
| + | <code bash> | ||
| openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem | openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem | ||
| - | Additional troubleshooting tips: | + | </ |
| - | Make sure both servers have SSL enabled. Make sure the master_ssl_ca has the entire CA chain or it won’t work! | + | |
| + | |||
| + | ===== Additional troubleshooting tips ===== | ||
| + | |||
| + | Make sure both servers have SSL enabled. | ||
| - | 1 | + | <file bash /etc/my.cnf> |
| - | 2 | + | |
| - | 3 | + | |
| - | 4 | + | |
| - | # /etc/my.cnf | + | |
| ssl-ca | ssl-ca | ||
| ssl-cert | ssl-cert | ||
| ssl-key | ssl-key | ||
| + | </ | ||
| - | 1 | + | <code mysql> |
| - | 2 | + | |
| - | 3 | + | |
| - | 4 | + | |
| - | 5 | + | |
| - | 6 | + | |
| - | 7 | + | |
| - | 8 | + | |
| - | 9 | + | |
| - | 10 | + | |
| - | 11 | + | |
| - | 12 | + | |
| - | 13 | + | |
| - | 14 | + | |
| mysql> show variables like " | mysql> show variables like " | ||
| +---------------+-------------------------------------------------------+ | +---------------+-------------------------------------------------------+ | ||
| Line 63: | Line 61: | ||
| | have_openssl | | have_openssl | ||
| | have_ssl | | have_ssl | ||
| - | | ssl_ca | + | | ssl_ca |
| | ssl_capath | | ssl_capath | ||
| - | | ssl_cert | + | | ssl_cert |
| | ssl_cipher | | ssl_cipher | ||
| | ssl_crl | | ssl_crl | ||
| | ssl_crlpath | | ssl_crlpath | ||
| - | | ssl_key | + | | ssl_key |
| +---------------+-------------------------------------------------------+ | +---------------+-------------------------------------------------------+ | ||
| + | </ | ||
| + | |||
| If you run into this error: “Slave failed to initialize relay log info structure from the repository” you just need to run “RESET SLAVE;” | If you run into this error: “Slave failed to initialize relay log info structure from the repository” you just need to run “RESET SLAVE;” | ||
| + | |||
| Make sure your firewalls have Port 3306 (or whatever port you’re using) open. | Make sure your firewalls have Port 3306 (or whatever port you’re using) open. | ||
| + | |||
| Make sure secure_auth is on: | Make sure secure_auth is on: | ||
| - | 1 | + | <code mysql> |
| - | 2 | + | |
| - | 3 | + | |
| - | 4 | + | |
| - | 5 | + | |
| - | 6 | + | |
| show variables like " | show variables like " | ||
| +---------------+-------+ | +---------------+-------+ | ||
| Line 87: | Line 84: | ||
| | secure_auth | | secure_auth | ||
| +---------------+-------+ | +---------------+-------+ | ||
| + | </ | ||
| + | |||
| Make sure you’re granting the correct permissions: | Make sure you’re granting the correct permissions: | ||
| - | 1 | + | <code mysql> |
| GRANT REPLICATION SLAVE ON *.* TO slave_user@slave.example.net IDENTIFIED BY ' | GRANT REPLICATION SLAVE ON *.* TO slave_user@slave.example.net IDENTIFIED BY ' | ||
| + | </ | ||
| + | |||
| You should have master_ssl set to 1: | You should have master_ssl set to 1: | ||
| - | 1 | + | <code mysql> |
| - | 2 | + | change master to |
| - | 3 | + | |
| - | 4 | + | |
| - | 5 | + | |
| - | 6 | + | |
| - | 7 | + | |
| - | 8 | + | |
| - | 9 | + | |
| - | 10 | + | |
| - | | + | |
| master_host=' | master_host=' | ||
| master_user=' | master_user=' | ||
| Line 113: | Line 105: | ||
| master_ssl_cert='/ | master_ssl_cert='/ | ||
| master_ssl_key='/ | master_ssl_key='/ | ||
| + | </ | ||
| + | |||
mysql/troubleshoot_mysql_ssl_replication_problems.1479724034.txt.gz · Last modified: 2020/07/15 09:30 (external edit)