mysql> SHOW VARIABLES LIKE 'have_ssl';
mysql>MariaDB [powerdns]> CREATE USER 'replicator'@'%' IDENTIFIED BY 'chooseyourownpassword!'; Query OK, 0 rows affected (0.00 sec) MariaDB [powerdns]> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'replicator'@'%'; Query OK, 0 rows affected (0.00 sec) MariaDB [powerdns]> GRANT SELECT ON powerdns.* TO 'replicator'@'%'; Query OK, 0 rows affected (0.00 sec) MariaDB [powerdns]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.01 sec)
mkdir -p /etc/pki/tls/certs/mariadb cd /etc/pki/tls/certs/mariadb
openssl req -x509 -sha256 -newkey rsa:4096 \ -keyout master-private.pem -out master-public.pem \ -subj '/CN=ns1.polaire.nl' -nodes -days 3650 chmod 400 master-private.pem chown mysql master-private.pem
cp master-public.pem ca.pem
[mysqld] log_bin = mysql-bin server_id = 10 ssl-ca=/etc/pki/tls/certs/mariadb/ca.pem ssl-cert=/etc/pki/tls/certs/mariadb/master-public.pem ssl-key=/etc/pki/tls/certs/mariadb/master-private.pem
systemctl restart mariadb
MariaDB [(none)]> GRANT USAGE ON *.* TO 'replicator'@'%' REQUIRE SSL; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> SHOW GRANTS FOR "replicator";
mkdir -p /etc/pki/tls/certs/mariadb cd /etc/pki/tls/certs/mariadb
mysql -u replicator -p'yourpassword' -hns1.polaire.nl --ssl-ca /etc/pki/tls/certs/mariadb/ca.pem --ssl-verify-server
<MariaDB [(none)]> SHOW STATUS LIKE 'Ssl_cipher'; +---------------+---------------------------+ | Variable_name | Value | +---------------+---------------------------+ | Ssl_cipher | DHE-RSA-AES256-GCM-SHA384 | +---------------+---------------------------+ 1 row in set (0.05 sec)
MariaDB [(none)]> GRANT USAGE ON *.* TO 'replicator'@'%' REQUIRE SUBJECT '/CN=ns2.polaire.nl'; MariaDB [(none)]> SHOW GRANTS FOR "replicator";
cd /etc/pki/tls/certs/mariadb openssl req -x509 -sha256 -newkey rsa:4096 \ -keyout slave-private.pem -out slave-public.pem \ -subj '/CN=ns2.polaire.nl' -nodes -days 3650 chmod 400 slave-private.pem chown mysql slave-private.pem
cat slave-public.pem >> ca.pem
systemctl restart mariadb
mysql -u replicator -p'yourpass' -hns1.polaire.nl \ --ssl-ca /etc/pki/tls/certs/mariadb/ca.pem \ --ssl-cert /etc/pki/tls/certs/mariadb/slave-public.pem \ --ssl-key /etc/pki/tls/certs/mariadb/slave-private.pem
mysqldump -u root -p --single-transaction --all-databases --master-data=1 > /tmp/master_backup.sql
[mysqld] log_bin = mysql-bin server_id = 20 log_slave_updates = 1 relay_log = mysql-relay-bin read_only = 1
MariaDB [(none)]> source /tmp/master_backup.sql
CHANGE MASTER TO Master_Host='ns1.polaire.nl', Master_User='replicator', Master_Password='yourpassword', Master_SSL=1, Master_SSL_CA = '/etc/pki/tls/certs/mariadb/ca.pem', Master_SSL_CERT = '/etc/pki/tls/certs/mariadb/slave-public.pem', Master_SSL_KEY = '/etc/pki/tls/certs/mariadb/slave-private.pem', Master_SSL_Verify_Server_Cert = 1; Query OK, 0 rows affected (0.08 sec)
MariaDB [(none)]> slave start; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> show slave status \G