HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Configuring MySQL slave to use SSL

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
slavemysqlsslconfiguringuse

Problem

I am trying to set up a MySQL slave to use replication via SSL.

The my.cnf file contains the following:

server-id = 1012

master-host = host
master-port = port
master-user = user
master-password = password

ssl-ca=/etc/mysqld/ssl/ca-cert.pem
ssl-cert=/etc/mysqld/ssl/client-cert.pem
ssl-key=/etc/mysqld/ssl/client-key.pem


Starting the slave fails with SLAVE STATUS showing

Master_SSL_Allowed: No


When I manually set up the slave as follows:

CHANGE MASTER TO
     MASTER_HOST='host',
     MASTER_USER='user',
     MASTER_PASSWORD='secret',
     MASTER_SSL=1;
START SLAVE;


Everything works. Any idea what parameter I need to enter into my.cnf in order to force the slave to use SSL? The obvious choice - "master-ssl=1" did not work.

Solution

Older versions of MySQL allow declaring the CHANGE MASTER TO parameters in my.cnf. Newer version may not. In fact, according to the MySQL Documentation concerning setting replication options in my.cnf:


Before MySQL 5.1.17, these options are silently ignored if given
unless there is no master.info file. If that file exists, the MySQL
server has already previously been configured for replication, so the
information in the file is used instead. Because the server gives an
existing master.info file precedence over the startup options just
described, you might elect not to use startup options for these values
at all, and instead to specify the replication parameters associated
with them by using the CHANGE MASTER TO statement. See Section
12.5.2.1, “CHANGE MASTER TO Syntax”.


Beginning with MySQL 5.1.17, these options are deprecated and have no
effect when mysqld is started. If they are used, an appropriate
warning is written to the error log. Instead, you must use CHANGE
MASTER TO to set the values corresponding to the deprecated options.
These options are removed in MySQL 5.5.

Naturally, running CHANGE MASTER TO generates a master.info file, which includes master_ssl. No harm, no foul. Relying on my.cnf for older versions of mysql results in option being ignored when no master.info exists. They are no longer valid.

Context

StackExchange Database Administrators Q#7583, answer score: 2

Revisions (0)

No revisions yet.