Troubleshooting Mysql SSL in Secondary node
Troubleshooting and Verifying Mysql SSL In Secondary node
While doing the installation of the slave with MySQL SSL you may come up with "Do you want to use a secure MySQL connection?", then you need to check the following:-
1. If you are giving yes you need to specify the path of the certs that need to be connected to the master node. You can confirm that by manually connecting to the master node along with SSL. You can use the below command.
root@slave:~# mysql -u ezlogin_database_username -p -h hostname or ip --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem
For example:
root@slave:~# mysql -u ezlogin_xxxx -p -h 10.11.1.11 --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem
Make sure that you are able to log in to MySQL of the slave as root user and also from slave to master with Ezeelogin database username and password with SSL.
2. If you are giving no continue with the installation and after that, you can configure MySQL SSL with the following articles:
3. Connect MySQL with the database name and SSL in the below cases so that the master and slave are secure. A successful connection to MySQL SSL will take place if all cases are met.
i.From master to master itself with the below command.
root@master ~]# mysql -u ezlogin_database_username -p -h master_ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
ii.From master to slave with the below command
root@master ~]# mysql -u ezlogin_database_username -p -h slave_ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
iii.From slave to slave itself with the below command
root@slave ~]# mysql -u ezlogin_database_username -p -h slave_ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
iv.From slave to master with the below command.
root@slave ~]# mysql -u ezlogin_database_username -p -h maste_ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
If above cases works, then you need to add the below lines in ez.conf file in both master and slave nodes.
Edit the /usr/local/etc/ezlogin/ez.conf file add the following
system_folder /var/www/ezlogin/
force_https no
uri_path /ezlogin/
db_host 10.10.1.11
db_port 3306
db_name ezlogin_qzms
db_user ezlogin_edcjwz
db_pass dsH)$s5xAE[QgFms
db_prefix aqvo_
cookie_encryption_key ASvs8^pnu^^X9
cookie_name lcrrfs
cookie_path /ezlogin/
www_folder /var/www/html/ezlogin/
admin_user admin
mysql_encrypt yes
mysql_ssl_key /etc/certs/client-key.pem
mysql_ssl_cert /etc/certs/client-cert.pem
mysql_ssl_ca /etc/certs/ca.pem
mysql_ssl_capath /etc/certs/
mysql_ssl_verify no
After adding the above lines in ez. conf, master and slave node connection will be secure.