ca, master, slave certificates
-- 证书生成的目录
mkdir /etc/my.cnf.d/ssl
-- 利用 rsa算法生成一个 2048位的私钥,没有加密
openssl genrsa 2048 > cakey.pem
-- 利用私钥自签名一个证书,ca自己的证书
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
-- master的证书申请文件
openssl req -newkey rsa:1024 -days 365 -nodes -keyout master.key > master.csr
-- 颁发证书,证书编号为01,master的证书
openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
-- slave的证书申请文件
openssl req -newkey rsa:1024 -days 365 -nodes -keyout slave.key > slave.csr
-- 颁发证书,证书编号为02,slave的证书
openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt
master configuration
Profiles
vim /etc/my.cnf
[mysqld]
server_id=7
log_bin=/data/logbin/mariadb-bin
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key
The certificate from the node to the catalog copy
scp -r /etc/my.cnf.d/ssl/ 192.168.43.17:/etc/my.cnf.d/
Remote users forced to use ssl
MariaDB [(none)]> grant replication slave on *.* to repluser2@'192.168.43.%' identified by 'centos' require ssl;
slave configuration
Profiles
vim /etc/my.cnf
[mysqld]
server_id=17
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/slave.crt
ssl-key=/etc/my.cnf.d/ssl/slave.key
Primary user specified connection, binary file, and
MariaDB [(none)]> CHANGE MASTER TO
MASTER_HOST='192.168.43.7',
MASTER_USER='repluser2',
MASTER_PASSWORD='centos',
MASTER_LOG_FILE='mariadb-bin.000005',
MASTER_LOG_POS=584,
MASTER_SSL=1,
MASTER_SSL_CA = '/etc/my.cnf.d/ssl/cacert.pem',
MASTER_SSL_CERT = '/etc/my.cnf.d/ssl/slave.crt',
MASTER_SSL_KEY = '/etc/my.cnf.d/ssl/slave.key';
