Web lists-archives.com

Re: can't authenticate ssl user account




Hi Reindel,

you client configuration shows no indication for SSL, i see it in my.cnf
> only in the [mysqld] section and remember when you initrialize replication
> you need to specify it there too
>
> i doubt there is anything to change the logging but since you *know* what
> that user requires that should really not be the problem - said from
> somebody using SSL for any mysql connection over TCP for years now
> (replication, php-applications, cli-client...)
>


Ok!! Thanks. But when I try to setup my client configuration to use SSL,
mariadb server refuses to start. It times out:

[root@db2:~] #systemctl status mysql.service
mysql.service - LSB: start and stop MySQL
   Loaded: loaded (/etc/rc.d/init.d/mysql)
   Active: failed (Result: exit-code) since Tue 2015-07-21 18:29:24 UTC;
13s ago
  Process: 19965 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited,
status=0/SUCCESS)
  Process: 21973 ExecStart=/etc/rc.d/init.d/mysql start (code=exited,
status=1/FAILURE)

Jul 21 18:29:23 db2 systemd[1]: Starting LSB: start and stop MySQL...
Jul 21 18:29:24 db2 mysql[21973]: Starting MySQL. ERROR!
Jul 21 18:29:24 db2 systemd[1]: mysql.service: control process exited,
code=exited status=1
Jul 21 18:29:24 db2 systemd[1]: Failed to start LSB: start and stop MySQL.
Jul 21 18:29:24 db2 systemd[1]: Unit mysql.service entered failed state.


Here's my my.cnf on the client side that is causing the time out error to
occur:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
old_passwords=1
ssl
server-id=2
replicate-do-db=jfwiki

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
master-connect-retry=60

!includedir /etc/my.cnf.d

[client]
ssl-ca=/opt/mysql/ca-cert.pem
ssl-cert=/opt/mysql/client-cert.pem
ssl-key=/opt/mysql/client-key.pem

Any idea why that's happening or how to correct it?

Thanks,
Tim

On Tue, Jul 21, 2015 at 4:25 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx>
wrote:

>
> Am 21.07.2015 um 05:03 schrieb Tim Dunphy:
>
>> I see absolutely NO indication as to why the login for the 'slave2' user
>> (that requires SSL) is failing
>>
>> So my questions are 1) how to I bump up the verbosity on the logs so I can
>> get an indication as to why this is failing? 2) what is the best way to
>> troubleshoot this?
>>
>
> you client configuration shows no indication for SSL, i see it in my.cnf
> only in the [mysqld] section and remember when you initrialize replication
> you need to specify it there too
>
> i doubt there is anything to change the logging but since you *know* what
> that user requires that should really not be the problem - said from
> somebody using SSL for any mysql connection over TCP for years now
> (replication, php-applications, cli-client...)
>
> CHANGE MASTER TO MASTER_HOST='masterip', MASTER_USER='user',
> MASTER_PASSWORD='password', MASTER_PORT=3306, MASTER_CONNECT_RETRY=3600,
> MASTER_SSL=1, MASTER_SSL_CA='/etc/mysqlssl/ca.crt',
> MASTER_SSL_CERT='/etc/mysqlssl/client.pem',
> MASTER_SSL_KEY='/etc/mysqlssl/client.pem'; START SLAVE;
>
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B