How do you get pt-heartbeat to connect to a slave who has require_secure_transport enabled?

I do not see any ssl options listed in the pt-heartbeat --help.  Please advise as i’m unable to get it to connect to my slaves.

1 Like

Hello, Please check [PT-191] add ssl options to DSN - Percona JIRA. It has info about using SSL with Toolkit.
Regards

1 Like

Thanks.  I have tried 6 ways to sunday to ge this to work but seeing unauthroized user hung up in connection control plugin on the slave and seeing ssl connection error on the master.  See below

bash$  pt-heartbeat F=/var/lib/mysql/my1.cnf -D test --master-server-id 1 --checkDBI connect(‘test;mysql_read_default_file=/var/lib/mysql/my1.cnf;mysql_read_default_group=client’,‘’,…) failed: SSL connection error: error:00000001:lib(0):func(0):reason(1) at /bin/pt-heartbeat line 2908.

my1.cnf looks like this[client]user=myuserpassword=mypasshost=xx.xx.xx.xxport=3306ssl-mode=REQUIRED

Any suggestions?

1 Like

@grosenthal For now, here is a work-around:

bash$ pt-heartbeat -A=‘;mysql_ssl=1;mysql_optional=1’

As shown in PT-191 referenced by @carlos.salguero .

And if you want to be extra super secure, you can still add “ssl-cert=” into your my1.cnf to ensure it actually matches with the MySQL server you are connecting with.

But you can also delete the my1.cnf and don’t even bother with the “F=” commandline option. Just know that without this “F=” option, pt-heartbeat will connect to any MySQL server with any SSL Certificate and no verification matching, which may or may not be acceptable for your situation.

1 Like