I have set up SSL for mysql replication. The problem is, that it makes problems on the other local apps which use mysql.
Like postfix:
Jul 25 23:00:22 srv1 postfix/proxymap[3141]: warning: connect to mysql server 127.0.0.1: SSL connection error: unable to verify peer checksum
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf: table lookup problem
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains lookup failure
or amavis:
Jul 25 23:08:12 srv1 amavis[5625]: (05625-01) (!)connect_to_sql: unable to connect to DSN 'DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306': SSL connection error: unable to verify peer checksum
and also pureftp
Jul 25 23:02:42 srv1 pure-ftpd: (?@2a02:810c:XXXXXXXX) [ERROR] The SQL server seems to be down [SSL connection error: unable to verify peer checksum]
Because I dont need local encryption, i want to disable it, but I dont know how. I have only set a cnf entry for the clients with:
[client]
#ssl-ca=/etc/letsencrypt/live/mydomain/chain.pem
#ssl-mode=DISABLED
ssl=0
But without luck. For postfix I found in the docs this note:
Postfix 3.1 and earlier don't read [client] option group settings unless a non-empty option_file or option_group value are specified. To enable this, specify, for example "option_group = client".
So I added to all /etc/postfix/mysql-*.cf files the option_group syntax. But after the restart it is the same problem..
When I disable ssl on the server, the problems are gone. But I want to have ssl for security of the replication.
Any Ideas?
Here are few ideas.
postconf
to see if there are any mistypes or incompatibilities in configuration files of Postfix. This utility complains when there are unused parameters.CREATE USER ... REQUIRE ...
andALTER USER ... REQUIRE ...
and remove mandatory SSL for local clients.[mysql]
section instead. It should be feasible to do this via MYSQL_HOME environmental variable, but I doubt it is a good idea even to try :)