Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR 9002 (28000): SSL connection is required. Please specify SSL options and retry #285

Closed
whiletrue57 opened this issue Dec 17, 2020 · 11 comments

Comments

@whiletrue57
Copy link

whiletrue57 commented Dec 17, 2020

描述
Azure的MSYQL服务器开启在强制SSL,我在执行语句时日志报“ERROR 9002 (28000): SSL connection is required. Please specify SSL options and retry”,--ssl=required参数已经添加过了,请问这个如何解决谢谢。

重现
通过arcerhy执行SQL,选择【备份】

环境

  • 数据库: mysql
  • 版本: 5.6.47.0 MySQL Community Server (GPL)

错误日志:
time="2020/12/17 15:00:25.789" level=info msg="create BinlogSyncer with config {2000111114 mysql host01.mysql.database.chinacloudapi.cn 3306 mysql_user@host01 false false false UTC true 0 0s 0s 0 false false 0}" file=binlogsyncer.go func=NewBinlogSyncer line=144
time="2020/12/17 15:00:25.789" level=info msg="begin to sync binlog from position (mysql-bin.000012, 5464107)" file=binlogsyncer.go func=StartSync line=359
time="2020/12/17 15:00:25.795" level=info msg="Start sync error: ERROR 9002 (28000): SSL connection is required. Please specify SSL options and retry.\x00\n" file=parser.go func=parserBinlog line=249
time="2020/12/17 15:00:25.795" level=info msg="syncer is closing..." file=binlogsyncer.go func=close line=175

@hanchuanchuan
Copy link
Owner

hanchuanchuan commented Dec 17, 2020

备份功能是通过MySQL Slave复制协议实现的,以模拟从库的方式读取Binlog.
这个报错应该是Azure MySQL做了自定义,禁止了该行为.和--ssl参数无关的.

@whiletrue57
Copy link
Author

whiletrue57 commented Dec 17, 2020

感谢您的解答
我尝试在Azure上把强制SSL关闭就可以正常备份,重新打开就会备份失败,所以我觉得这个对MySQL Slave并没有进行限制。另外,我看您的config.toml文件示例中有这[security],这个是做什么用的呢,我在里面加上了这些备份,但是似乎没有效果,依然是SSL connection is required那个错误。
[security]
skip_grant_table = true
#Path of file that contains list of trusted SSL CAs for connection with mysql client.
ssl-ca = "/opt/ca.pem"
#Path of file that contains X509 certificate in PEM format for connection with mysql client.
ssl-cert = "/opt/client-cert.pem"
#Path of file that contains X509 key in PEM format for connection with mysql client.
ssl-key = "/opt/client-key.pem"

@hanchuanchuan
Copy link
Owner

既然关闭SSL可以备份, 说明协议是没问题的.
我检查了一下go-mysql包有SSL参数支持, 只是我没有测试环境,需要你提供一下详细的ssl设置.

另外,如果你熟悉golang的话,可以按如下方式测试:
参考 go-mysql 项目首页,该包是用来支持MySQL复制协议的.

  1. 复制项目首页的demo到新文件main.go
  2. import导入包"crypto/tls"
  3. 修改cfg到测试的Azure MySQL数据库
  4. syncer := replication.NewBinlogSyncer(cfg) 上面添加一行:
    cfg.TLSConfig = &tls.Config{InsecureSkipVerify: true}
  5. 之后运行该文件看是否有报错即可.

PS: [security]段可以设置到远程数据库的访问方式,如开启ssl安全访问.
或者开启skip_grant_table打开鉴权功能,goinception默认免密,因为其没有任何数据,只作为中间件存在的.

@hanchuanchuan
Copy link
Owner

另外你可以测试--ssl本身,数据库已经开启了ssl的话, 该参数必须要设置的吧,不然应该无法连接到数据库的.
我可以复用该配置到备份功能.

@whiletrue57
Copy link
Author

whiletrue57 commented Dec 18, 2020

我用上面的方法测试了一下,加上cfg.TLSConfig = &tls.Config{InsecureSkipVerify: true}这一行,即可正常获取到binlog数据,
如果不加的话,会提示显示下面的提示,所以我觉得那一行,还是有效果的。

[2020/12/18 08:04:32] [info] binlogsyncer.go:360 begin to sync binlog from position (mysql-bin.000012, 5524015)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x606177]

goroutine 1 [running]:
github.com/siddontang/go-mysql/replication.(*BinlogStreamer).GetEvent(0x0, 0x6d9f20, 0xc0000b2000, 0x544a2f, 0x0, 0x6d62c0)
        /go/pkg/mod/github.com/siddontang/[email protected]/replication/binlogstreamer.go:25 +0x37
main.main()
        /go/sql_test/main.go:32 +0xd4
exit status 2

接下来我应该怎么做,才能把tls.Config{InsecureSkipVerify: true应用起来呢?谢谢。

@hanchuanchuan
Copy link
Owner

--ssl参数你设置的是什么

@whiletrue57
Copy link
Author

whiletrue57 commented Dec 18, 2020

我在archery里的sql/engines/goinception.py设置的设置是--ssl=required
像是这样:

        sql_execute = f"""/*--user='{user}';--password='{password}';--host='{host}';--port={port};--execute=1;--ignore-warnings=1;{str_backup};--sleep=200;--sleep_rows=100;--ssl=required*/
                            inception_magic_start;
                            {set_session_sql}
                            use `{workflow.db_name}`;
                            {workflow.sqlworkflowcontent.sql_content.rstrip(';')};
                            inception_magic_commit;"""
        inception_result = self.query(sql=sql_execute)

@hanchuanchuan
Copy link
Owner

hanchuanchuan commented Dec 18, 2020

更新了版本,可以试一下.
改动内容如下:

+       if s.opt.ssl != "" {
+               switch s.opt.ssl {
+               case "preferred", "true", "required":
+                       cfg.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+               }
+       }
+

https://github.com/hanchuanchuan/goInception/releases/download/v1.2.3/goInception-linux-v1.2.3-58-ga4b1e20-dirty.tar.gz

@whiletrue57
Copy link
Author

whiletrue57 commented Dec 18, 2020

您好,备份成功了,回滚语句也可以正常下载了。我看日志里还有一些kill connection错误,麻烦看一下是否有影响吧。谢谢

time="2020/12/18 18:29:17.188" level=info msg="begin to sync binlog from position (mysql-bin.000012, 5551303)" file=binlogsyncer.go func=StartSync line=359
time="2020/12/18 18:29:17.250" level=info msg="rotate to (mysql-bin.000012, 5551303)" file=binlogsyncer.go func=parseEvent line=776
time="2020/12/18 18:29:17.251" level=info msg="syncer is closing..." file=binlogsyncer.go func=close line=175
time="2020/12/18 18:29:17.302" level=error msg="kill connection 64358 error ERROR 1094 (HY000): Unknown thread id: 64358" file=binlogsyncer.go func=killConnection line=843
time="2020/12/18 18:29:17.303" level=info msg="kill last connection id 64358" file=binlogsyncer.go func=killConnection line=849
time="2020/12/18 18:29:17.351" level=info msg="syncer is closed" file=binlogsyncer.go func=close line=202

@hanchuanchuan
Copy link
Owner

这个可以忽略,只是断开binlog复制,我优化一下.

@whiletrue57
Copy link
Author

OK,那暂时没问题了。多谢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants