I am trying to get MySQL SSL replication setup for two brand new RHEL 6.6 x64 servers. I have replication working without SSL, but I can't get it set up with SSL, and can't connect directly using SSL either. I have tried connecting from both the master and the slave with mysql -h x.x.x.x -u root -p –ssl=1 –ssl-ca=ca.pem –ssl-cert=client-cert.pem –ssl-key=client-key.pem, as well as locally (Windows + MySQL Workbench), no matter what, I get:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
Since RHEL came with MySQL 5.1, I upgraded both master and slave to 5.5 per https://webtatic.com/packages/mysql55/, mysql –version for both now shows "Ver 14.14 Distrib 5.5.43, for Linux (x86_64) using readline 5.1"
Then I tried to set up SSL with self-signed certs and replication based on the tutorial at https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4
I made sure to use different Common Names for all three certificates, and openssl verify confirms that both client-cert.pem and server-cert.pem are "OK" when tested against ca.pem.
But I still get the SSL connection error above no matter what I try. No errors in the master's error log, nothing else I can see that would be causing the failure. Any help would be greatly appreciated!
Thank you.
Best Answer
Ensure the Common Name of your CA certificate and Server certificates are different
If your certificates were generated using
opensslwith a version greater than 1.0 and are RSA, reformat your keys using the following:openssl rsa -in key-from-openssl-1.pem -out pkcs1-yassl-compatible-key.pem(replace filenames as appropriate). The reason for this is that the key format is not compatible withyaSSL, which is what MySQL uses for SSL. Alternatively, open the pem files with an editor, and replaceBEGIN PRIVATE KEYwithBEGIN RSA PRIVATE KEY