我正在尝试在两个 mysql 5.7 服务器之间设置复制。我能够从副本服务器连接到源服务器,但当我尝试启动复制时,副本服务器无法连接到源服务器。这可能导致什么
这将成功打开连接到源的 mysql 客户端:
# On replica
$ mysql -u [my_user] -p -h [source_host] \
--ssl-mode=REQUIRED \
--ssl-ca=/etc/[source_host].cabundle
源状态:
mysql> show master status;
+------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.002513 | 45687316 | | | |
+------------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)
在副本上:
mysql> CHANGE MASTER TO
-> MASTER_HOST='[source_host]',
-> MASTER_USER='[my_user]',
-> MASTER_PASSWORD='[my_password]',
-> MASTER_LOG_FILE='mysql-bin.002495',
-> MASTER_LOG_POS=154,
-> MASTER_SSL=1,
-> MASTER_SSL_VERIFY_SERVER_CERT=0,
-> MASTER_SSL_CA='/etc/ssl/[source_host].cabundle'
-> ;
Query OK, 0 rows affected, 2 warnings (0.03 sec)
mysql> start slave;
Query OK, 0 rows affected (0.00 sec)
副本状态:
mysql> show slave stauts \G
*************************** 1. row ***************************
Slave_IO_State: Connecting to master
Master_Host: [source_host]
Master_User: [my_user]
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.002495
Read_Master_Log_Pos: 154
Relay_Log_File: [hostname]-relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: mysql-bin.002495
Slave_IO_Running: Connecting
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Relay_Log_Space: 154
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/ssl/[source_host].cabundle
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 2026
Last_IO_Error: error connecting to master '[my_user]@[source_host]:3306' - retry-time: 60 retries:
4
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 0
Master_UUID:
Master_Info_File: [mysql_dir]/master.info
SQL_Delay: 0
SQL_Remaining_Delay: NULL
Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates
Master_Retry_Count: 86400
Master_Bind:
Last_IO_Error_Timestamp: 250115 03:03:38
Last_SQL_Error_Timestamp:
Master_SSL_Crl:
Master_SSL_Crlpath:
Retrieved_Gtid_Set:
Executed_Gtid_Set:
Auto_Position: 0
Replicate_Rewrite_DB:
Channel_Name:
Master_TLS_Version:
副本上的 mysql error.log:
[Note] 'CHANGE MASTER TO FOR CHANNEL '' executed'. Previous state master_host='[source_host]', master_port= 3306, master_log_file='', master_log_pos= 4, master_bind=''. New state master_host='[source_host]', master_port= 3306, master_log_file='mysql-bin.002495', master_log_pos= 154, master_bind=''.
[Warning] Storing MySQL user name or password information in the master info repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START SLAVE; see the 'START SLAVE Syntax' in the MySQL Manual for more information.
[Warning] Slave SQL for channel '': If a crash happens this configuration does not guarantee that the relay log info will be consistent, Error_code: 0
[Note] Slave SQL thread for channel '' initialized, starting replication in log 'mysql-bin.002495' at position 154, relay log './analysis-relay-bin.000001' position: 4
[ERROR] Slave I/O for channel '': error connecting to master '[my_user]@[source_host]:3306' - retry-time: 60 retries: 1, Error_code: 2026
mysql error.log 来源:
[Note] Bad handshake
您在此处向我们展示的内容看起来不像
show slave status(show slave status \G更易于阅读)的输出。当您在命令行上连接时,您明确告诉客户端在哪里找到 CA 证书 - 您在创建复制通道(MASTER_SSL_CAPATH = ...)时没有这样做
错误 2026 是协商 TLS 连接时的错误
尝试在启动从属命令中设置CA路径。
找到答案了。发生了两件事:
尽管我已指定
MASTER_SSL_VERIFY_SERVER_CERT=0,但复制仍尝试使用模式。我不知道为什么。但是当我将命令行客户端更改为使用而不是 时VERIFY_CA,错误仍然相同。VERIFY_CAREQUIRED我正在使用 Let's Encrypt 证书。2024 年 6 月,Let's Encrypt 停止将 ISRG Root X1 证书纳入其 CA 链。如果没有它,openssl 就无法验证服务器证书(Ubuntu 20.04、Mysql 5.7)。通过从 Let's Encrypt 下载 ISRG Root X1 证书并手动将其附加到 CA 链文件,可以解决此问题。我通过查看博客文章中的一条评论找到了 Let's Encrypt 的一些文档,从而找到了这个问题: