MASTER服務器配置爲CA
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA/
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 730 -out /etc/pki/CA/cacert.pem
爲MASTER生成私鑰證書
mkdir /usr/local/mysql/ssl -pv
cd /usr/local/mysql/ssl
(umask 077; openssl genrsa 1024 > mysql.key)
openssl req -new -kdy mysql.key -out mysql.csr
openssl ca -in mysql.csr -out mysql.crt
cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl
cd /usr/local/mysql
chown -R mysql:mysql ssl/
SLAVE 生成私鑰證書
mkdir /usr/local/mysql/ssl -pv
cd /usr/local/mysql/ssl
(umask 077; openssl genrsa 1024 > mysql.key)
openssl req -new -key mysql.key -out mysql.csr
scp mysql.csr 172.16.19.22:/
openssl ca -in mysql.csr -out mysql.crt
scp mysql.crt 172.16.19.21:/usr/local/mysql/ssl
scp cacert.pem 172.16.19.21:/usr/local/mysql/ssl/
chown -R mysql:mysql ./* #修改祕鑰文件
MASTER SSL配置:
vim /etc/my.cnf
ssl
ssl-ca=/usr/local/mysql/ssl/cacert.pem
ssl-cert=/usr/local/mysql/ssl/mysql.crt
ssl-key=/usr/local/mysql/ssl/mysql.key
server_id=1
innodb_file_per_table=ON
log_bin=/webdata/log/log_bin_file
systemctl restart mariadb
MariaDB [(none)]> show global variables like '%ssl%';
MariaDB [(none)]> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO 'back'@'%' IDENTIFIED BY 'centos'; #配置同步用戶
SLAVE SSL配置:
vim /etc/my.cnf
ssl
ssl_ca = /usr/local/mysql/ssl/cacrt.pem
ssl_cert = /usr/local/mysql/ssl/slave.crt
ssl_key = /usr/local/mysql/ssl/slave.key
innodb_file_per_table=1
skip_name_resolve=1
server_id=2
relay_log=/sqldata/logs/relay-log
systemctl restart mariadb
change master to master_host='172.16.19.22',master_user='back',master_password='centos',master_log_file='log_bin_file.000003',master_log_pos=245,master_ssl=1,master_ssl_ca='
/usr/local/mysql/ssl/cacert.pem',master_ssl_cert='/usr/local/mysql/ssl/mysql.crt',master_ssl_key='/usr/local/mysql/ssl/mysql.key';
MariaDB [(none)]> start slave;