MySQL Replication with SSL Error_code: 2026 – Resolved

We keep returning to an issue with MySQL Replication whereby we keep seeing error code 2026 when trying to set it up with SSL:
[ERROR] Slave I/O: error connecting to master ‘———@———-:—-‘ – retry-time: 60 retries: 86400, Error_code: 2026

The simplest answer is – DONT USE OPENSSL. Mysql comes bundled with yassl, just specify –with-ssl on the configure line rather than adding your openssl path, and mysql will compile with the internal yassl. Same config works just fine with yassl, and doesnt with openssl.

Are there security implications with doing this? Possibly as yassl has had issues in the past. But if you’re opening up your MySQL servers to the public then you’re probably already weighing up risk vs functionality anyway.

Just for the record, some key points from the my.cnf files:
[client]
timezone = UTC
ssl-ca=/etc/certs/ca-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem

[server]
ssl
ssl-ca=/etc/certs/ca-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem

And the MASTER config:
| Slave_IO_State | Master_Host | Master_User | Master_Port | Connect_Retry | Master_Log_File | Read_Master_Log_Pos | Relay_Log_File | Relay_Log_Pos | Relay_Master_Log_File | Slave_IO_Running | Slave_SQL_Running | Replicate_Do_DB | Replicate_Ignore_DB | Replicate_Do_Table | Replicate_Ignore_Table | Replicate_Wild_Do_Table | Replicate_Wild_Ignore_Table | Last_Errno | Last_Error | Skip_Counter | Exec_Master_Log_Pos | Relay_Log_Space | Until_Condition | Until_Log_File | Until_Log_Pos | Master_SSL_Allowed | Master_SSL_CA_File | Master_SSL_CA_Path | Master_SSL_Cert | Master_SSL_Cipher | Master_SSL_Key | Seconds_Behind_Master | Master_SSL_Verify_Server_Cert | Last_IO_Errno | Last_IO_Error | Last_SQL_Errno | Last_SQL_Error |
| Waiting for master to send event | IPADDRESSS | mysqlrepl | PORT | 60 | mysql_bin_log.000539 | 1652774 | relay-bin.000006 | 1652923 | mysql_bin_log.000539 | Yes | Yes | | | | | | | 0 | | 0 | 1652774 | 1750495 | None | | 0 | Yes | /etc/certs/ca-cert.pem | /etc/certs/ | /etc/certs/client-cert.pem | | /etc/certs/client-key.pem | 0 | No | 0 | | 0 | |

Hopefully that helps someone else get things set up….

[del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]