mysql replication支持ssl，一主一从 +CA服务器

【推荐阅读】微服务还能火多久？>>>

先检查主机上有没有安装openssl这个软件： rpm -qa |grep openssl

1、将Master服务器自己做成CA服务器
[root@gyf  ~]# cd /etc/pki/CA/

[root@gyf  CA]# ll
total 16
drwxr-xr-x. 2 root root 4096 2月  22 2013 certs  发证的目录
drwxr-xr-x. 2 root root 4096 2月  22 2013 crl   吊销证书的目录
drwxr-xr-x. 2 root root 4096 2月  22 2013 newcerts  发新证的目录
drwx------. 2 root root 4096 2月  24 18:55 private  私钥目录
（1）先给自己生成私钥，必须放在CA目录下的private下

(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

使用（），只让umask 077在子shell生效，genrsa一种加密工具 -out 输出文件保存位置 私钥长度 2048

（2）生成 CA 证书请求

为了获取一个 CA 根证书，我们需要先制作一份证书请求。先前生成的 CA 密钥对被用于对证书请求签名。

[root@gyf  CA]# openssl req -new -x509 -days 365 -key private/cakey.pem -out cacret.pem


    req 用于生成证书请求的 OpenSSL 命令。

    -new  生成一个新的证书请求。该参数将令 OpenSSL 在证书请求生成过程中要求用户填写一些相应的字段。
    
    -x509 加密协议，

    -days 365 从生成之时算起，证书时效为 365 天。

    -key ./private/cakey.pem 指定 ./private/cakey.pem 为证书所使用的密钥对文件。

    -out careq.pem  生成的证书请求保存到文件 cacert.pem 。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家代码
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: Cent64 作为ca 填写主机名
Email Address []:
//生成index.txt(证书的索引)
[root@gyf  CA]# touch index.txt
//证书的序列号
[root@gyf  CA]# echo 01 > serial
此命令可自动创建serial文件
2、为Master创建证书申请并由CA服务器签发证书
[root@gyf  CA]# mkdir /usr/local/mysql/ssl
[root@gyf  CA]# (umask 077;openssl genrsa -out master.key 2048)
[root@gyf  ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number  
140460142339912:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
一般是因为serial文件中没有赋初值
[root@gyf  CA]# echo 01 > serial

[root@Cent64 ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 25 07:30:37 2014 GMT
            Not After : Feb 25 07:30:37 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = Default Company Ltd
            commonName                = Cent64
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B2:AF:8C:EA:4D:56:91:D6:B3:7B:05:12:9A:08:EE:7D:55:78:FC:F4
            X509v3 Authority Key Identifier:
                keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F

Certificate is to be certified until Feb 25 07:30:37 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


3、为Slave服务器创建证书申请

[root@gyf  ~]# mkdir /usr/local/mysql/ssl
[root@gyf  ~]# cd /usr/local/mysql/ssl/
[root@gyf  ssl]# (umask 077;openssl genrsa -out slave.key 2048)
[root@Cent67 ssl]# openssl req -new -key slave.key -out slave.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Cent67
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mysql
An optional company name []:

4、为Slave服务器签署证书
######将证书申请请求拷贝到CA服务器签署
[root@Cent67 ssl]# scp slave.csr root@10.10.54.64:/tmp/

[root@Cent64 ssl]# openssl ca -in /tmp/slave.csr -out /tmp/slave.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Feb 25 07:32:55 2014 GMT
            Not After : Feb 25 07:32:55 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = Default Company Ltd
            commonName                = Cent67
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                73:A7:EA:D4:E4:A5:DF:CD:A0:48:7D:39:90:85:76:82:E7:AF:B4:54
            X509v3 Authority Key Identifier:
                keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F

Certificate is to be certified until Feb 25 07:32:55 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

######签署好证书申请拷贝到Slave服务器
[root@Cent64 ssl]# scp /tmp/slave.crt root@10.10.54.67:/usr/local/mysql/ssl/


5、将CA证书拷贝到Slave服务器并为Master拷贝一份
[root@Cent64 ssl]# scp /etc/pki/CA/cacert.pem root@10.10.54.67:/usr/local/mysql/ssl/

[root@Cent64 ssl]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/

6、修改Master与Slave服务器证书属主、属组为"mysql"用户
######修改Master服务器
[root@Cent64 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent64 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月  25 15:35 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月  25 15:30 master.crt
-rw-r--r-- 1 mysql mysql 1029 2月  25 15:30 master.csr
-rw------- 1 mysql mysql 1675 2月  25 15:30 master.key

######修改slave服务器
[root@Cent67 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent67 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月  25 17:05 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月  25 17:04 slave.crt
-rw-r--r-- 1 mysql mysql 1029 2月  25 17:02 slave.csr
-rw------- 1 mysql mysql 1679 2月  25 17:02 slave.key





7、
在Master与Slave服务器修改主配置文件开启SSL加密功能
mysql5.5复制配置

1.规划网络和主从机器
master:10.10.54.64
slave:10.10.54.67

2.master config
 vim /etc/my.cnf   
log-bin=master-bin
server-id=1
binlog_formate=mixed
#开启SSL功能   
[mysqld]            
ssl                                               #开启SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem          #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/master.crt  #指定证书文件位置
ssl_key = /usr/local/mysql/ssl/master.key   #指定密钥所在位置
######查看master服务器SSL是否开启
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | YES                             |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/master.crt |
| ssl_cipher    |                                 |
| ssl_key       | /usr/local/mysql/ssl/master.key |
+---------------+---------------------------------+


3.slave config
log-bin=slave-bin
binlog_formate=mixed
server-id=10
必须大于主
#开启SSL功能  
[mysqld]             
ssl                                               #开启SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem          #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/slave.crt  #指定证书文件位置
ssl_key = /usr/local/mysql/ssl/slave.key   #指定密钥所在位置
######查看Slave服务器SSL是否开启
[root@slave  ~]# mysql
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | YES                             |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/slave.crt  |
| ssl_cipher    |                                 |
| ssl_key       | /usr/local/mysql/ssl/slave.key  |
+---------------+---------------------------------+


4.在master上面创建一个复制用户并授予权限
mysql> grant replication slave on *.* to 'gyf'@'10.10.54.67' identified by 'aaa12345'require ssl;;
mysql> flush privileges;
//在slave上测试是否能用复制用户登录
[root@gyf  ~]# mysql -ugyf -paaa12345 -h10.10.54.64 -ssl-ca=/usr/local/mysql/ssl/cacert.pem --ssl-cert=/usr/local/mysql/ssl/slave.crt --ssl-key=/usr/local/mysql/ssl/slave.key

5.查看master上二进制日志和position位置
root@(none) 17:08>show master status;
+-------------------+----------+--------------+------------------+
| File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-bin.000007 |      343 |              |                  |
+-------------------+----------+--------------+------------------+


CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=107;

拓展：重置master  reset master
6.备份master上的数据,把备份maste数据库还原到从库上
[root@gyf  ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67

[root@nan86 tmp]# mysqldump -uroot -paaa12345 --master-data=2 --single-transaction --flush-logs --database employees >employees.sql

[root@gyf  ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67

[root@gyf  tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql
ERROR 1130 (HY000): Host '10.10.54.64' is not allowed to connect to this MySQL server

mysql> grant all privileges on *.*  to root@10.10.54.64 identified by 'aaa12345';
mysql> flush privileges;

[root@nan86 tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql

7.在slave上面change master操作
mysql> change master to master_host='10.10.54.64',master_user='gyf',
    master_password='aaa12345',
   master_log_file='master-bin.000001',master_log_pos=107,master_ssl=1,
master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',
master_ssl_cert='/usr/local/mysql/ssl/slave.crt',
master_ssl_key='/usr/local/mysql/ssl/slave.key';


8.启动slave
root@(none) 19:02>start slave;
9.查看slave状态
确定slave上的I/O线程和SQL线程状态为YES
root@(none) 19:02>show slave status\G;
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: 10.10.54.64
                  Master_User: gyf
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: master-bin.000007
          Read_Master_Log_Pos: 343
               Relay_Log_File: Cent67-relay-bin.000002
                Relay_Log_Pos: 254
        Relay_Master_Log_File: master-bin.000007
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes


//可以单独停掉某一个线程
mysql> STOP SLAVE IO_THREAD;
mysql> STOP SLAVE SQL_THREAD;

###测试
在master上

root@(none) 17:11>create database a;

root@(none) 17:25>show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| a                  |
| employees          |
| mysql              |
| performance_schema |
| test               |
+--------------------+
在slave上
root@(none) 19:04>show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| a                  |
| employees          |
| mysql              |
| performance_schema |
| test               |
+--------------------+

来源：oschina

链接：https://my.oschina.net/u/1458120/blog/203972