{"id":81,"date":"2026-01-01T12:22:00","date_gmt":"2026-01-01T05:22:00","guid":{"rendered":"https:\/\/abdullah.mablx.online\/?p=81"},"modified":"2026-04-02T20:34:09","modified_gmt":"2026-04-02T13:34:09","slug":"tutorial-lengkap-setup-mariadb-galera-cluster-tls-ubuntu-24-04","status":"publish","type":"post","link":"https:\/\/abdullah.mablx.online\/?p=81","title":{"rendered":"Tutorial Lengkap: Setup MariaDB Galera Cluster + TLS (Ubuntu 24.04)"},"content":{"rendered":"\n

Dokumen ini membahas langkah demi langkah membangun MariaDB Galera Cluster<\/strong> yang aman menggunakan TLS\/SSL<\/strong> pada sistem Ubuntu 24.04<\/strong>. Cocok untuk kebutuhan high availability dan replikasi database real-time.<\/p>\n\n\n\n

\n\n\n\n

Gambaran Arsitektur Cluster<\/h2>\n\n\n\n

Contoh topologi yang digunakan:<\/p>\n\n\n\n

Node<\/th>Hostname<\/th>IP Address<\/th><\/tr><\/thead>
Node 1<\/td>Cluster-1<\/td>172.20.0.215<\/td><\/tr>
Node 2<\/td>Cluster-2<\/td>172.20.0.216<\/td><\/tr>
Node 3<\/td>Cluster-3<\/td>172.20.0.217<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Semua node:<\/p>\n\n\n\n

    \n
  • Ubuntu Server 24.04<\/li>\n\n\n\n
  • MariaDB 10.11+<\/li>\n\n\n\n
  • Akses root \/ sudo<\/li>\n\n\n\n
  • Waktu sistem sinkron (chrony)<\/li>\n<\/ul>\n\n\n\n
    \n\n\n\n

    Tahap 1: Instalasi MariaDB & Galera<\/h2>\n\n\n\n

    Jalankan perintah berikut di semua node<\/strong>:<\/p>\n\n\n\n

    apt update\napt install mariadb-server mariadb-client galera-4 -y<\/code><\/pre>\n\n\n\n
    Verifikasi:<\/p>\n\n\n\n
    mariadb --version<\/code><\/pre>\n\n\n\n
    Pastikan service aktif:<\/p>\n\n\n\n
    systemctl status mariadb<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    Tahap 2: Pembuatan Sertifikat TLS<\/h2>\n\n\n\n
    TLS digunakan agar komunikasi antar node terenkripsi.<\/p>\n\n\n\n
    1\ufe0f\u20e3 Buat direktori SSL<\/h3>\n\n\n\n
    sudo mkdir -p \/etc\/ssl\/mysql\ncd \/etc\/ssl\/mysql<\/code><\/pre>\n\n\n\n
    2\ufe0f\u20e3 Buat CA (Certificate Authority)<\/h3>\n\n\n\n
    openssl genrsa 2048 > ca-key.pem\nopenssl req -new -x509 -nodes -days 3650 \\\n  -key ca-key.pem -out ca.pem \\\n  -subj \"\/CN=Galera-CA\"<\/code><\/pre>\n\n\n\n
    3\ufe0f\u20e3 Generate server key & CSR<\/h3>\n\n\n\n
    openssl req -newkey rsa:2048 -days 3650 -nodes \\\n  -keyout server-key.pem -out server-req.pem \\\n  -subj \"\/CN=$(hostname)\"<\/code><\/pre>\n\n\n\n
    4\ufe0f\u20e3Sign cert<\/h3>\n\n\n\n
    openssl x509 -req -in server-req.pem -days 3650 \\\n  -CA ca.pem -CAkey ca-key.pem -set_serial 01 \\\n  -out server-cert.pem<\/code><\/pre>\n\n\n\n
    5\ufe0f\u20e3Copy ke node lain (Contoh Node 2):<\/h3>\n\n\n\n
    scp *.pem root@172.20.0.216:\/etc\/ssl\/mysql<\/code><\/pre>\n\n\n\n
    5\ufe0f\u20e3Copy ke node lain (Contoh Node 3):<\/h3>\n\n\n\n
    scp *.pem root@172.20.0.217:\/etc\/ssl\/mysql<\/code><\/pre>\n\n\n\n
    Salin file SSL ke semua node dengan path yang sama.<\/p>\n\n\n\n
    FIX 1: Node Pertama (Node 1) Wajib Perbaiki Permission:<\/h2>\n\n\n\n
    biar tidak error\/ada masalah Galera tidak bisa membaca \/ memakai file SSL key<\/strong>.<\/p>\n\n\n\n
    \u2705 SOLUSI (PALING AMAN): Perbaiki Permission:<\/h3>\n\n\n\n
    chown mysql:mysql \/etc\/ssl\/mysql\/*.pem\nchmod 600 \/etc\/ssl\/mysql\/server-key.pem\nchmod 644 \/etc\/ssl\/mysql\/server-cert.pem\nchmod 644 \/etc\/ssl\/mysql\/ca.pem<\/code><\/pre>\n\n\n\n
    Verifikasi:<\/p>\n\n\n\n
    sudo -u mysql cat \/etc\/ssl\/mysql\/server-key.pem >\/dev\/null && echo OK<\/code><\/pre>\n\n\n\n
    Kalau OK<\/strong> \u2192 aman<\/p>\n\n\n\n
    \u274c Jika Key Terenkripsi (Sering Terjadi)<\/h3>\n\n\n\n
    Cek:<\/p>\n\n\n\n
    openssl rsa -in \/etc\/ssl\/mysql\/server-key.pem -check<\/code><\/pre>\n\n\n\n
    Kalau muncul:<\/p>\n\n\n\n
    Enter pass phrase for server-key.pem:<\/code><\/pre>\n\n\n\n
    \u27a1\ufe0f Galera TIDAK SUPPORT key ber-password<\/strong><\/h3>\n\n\n\n
    Fix:<\/p>\n\n\n\n
    openssl rsa \\\n  -in \/etc\/ssl\/mysql\/server-key.pem \\\n  -out \/etc\/ssl\/mysql\/server-key-nopass.pem<\/code><\/pre>\n\n\n\n
    Ganti config ke key baru:<\/p>\n\n\n\n
    wsrep_provider_options=\"socket.ssl_key=\/etc\/ssl\/mysql\/server-key-nopass.pem\"<\/code><\/pre>\n\n\n\n
    \ud83d\udd01 Restart MariaDB<\/h3>\n\n\n\n
    systemctl daemon-reload\nsystemctl start mariadb<\/code><\/pre>\n\n\n\n
    Cek:<\/p>\n\n\n\n
    systemctl status mariadb<\/code><\/pre>\n\n\n\n
    FIX 2: Node Kedua dan Node Seterusnya Harus di Perbaiki biar tidak error seperti Contoh di bawah:<\/h2>\n\n\n\n
    Bad value '\/etc\/ssl\/mysql\/server-cert.pem'\nPermission denied<\/code><\/pre>\n\n\n\n
    Artinya:
    \ud83d\udc49 user mysql TIDAK PUNYA AKSES baca ke file SSL<\/strong><\/p>\n\n\n\n
    Walaupun filenya ada, permission \/ ownership masih salah<\/strong>.<\/p>\n\n\n\n
    \n\n\n\n
    \ud83d\udd0e Kenapa ini bisa terjadi?<\/h3>\n\n\n\n
    Galera dijalankan oleh:<\/p>\n\n\n\n
    User = mysql<\/code><\/pre>\n\n\n\n
    Kalau file SSL:<\/p>\n\n\n\n
    root:root\nchmod 600<\/code><\/pre>\n\n\n\n
    \u27a1\ufe0f mysql TIDAK bisa baca<\/strong> \u2192 Galera gagal start<\/h4>\n\n\n\n
    \n\n\n\n
    \u2705 SOLUSI WAJIB (LAKUKAN DI SEMUA NODE)<\/h3>\n\n\n\n
    1\ufe0f\u20e3 Set ownership & permission yang BENAR<\/h4>\n\n\n\n
    Jalankan sebagai root:<\/p>\n\n\n\n
    chown mysql:mysql \/etc\/ssl\/mysql\/*.pem\nchmod 600 \/etc\/ssl\/mysql\/server-key.pem\nchmod 644 \/etc\/ssl\/mysql\/server-cert.pem\nchmod 644 \/etc\/ssl\/mysql\/ca.pem<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    2\ufe0f\u20e3 Verifikasi mysql bisa baca<\/h4>\n\n\n\n
    sudo -u mysql cat \/etc\/ssl\/mysql\/server-cert.pem >\/dev\/null && echo OK\nsudo -u mysql cat \/etc\/ssl\/mysql\/server-key.pem  >\/dev\/null && echo OK\nsudo -u mysql cat \/etc\/ssl\/mysql\/ca.pem          >\/dev\/null && echo OK<\/code><\/pre>\n\n\n\n
    \u26a0\ufe0f HARUS keluar OK semua<\/strong><\/h5>\n\n\n\n
    Kalau salah satu gagal \u2192 MariaDB PASTI gagal start<\/p>\n\n\n\n
    \n\n\n\n
    \ud83d\udd10 CEK KEY TIDAK BOLEH PAKAI PASSWORD<\/h4>\n\n\n\n
    Galera TIDAK support private key ber-password<\/strong><\/p>\n\n\n\n
    Cek:<\/p>\n\n\n\n
    openssl rsa -in \/etc\/ssl\/mysql\/server-key.pem -check<\/code><\/pre>\n\n\n\n
    Kalau muncul:<\/p>\n\n\n\n
    Enter pass phrase:<\/code><\/pre>\n\n\n\n
    Fix:<\/h5>\n\n\n\n
    openssl rsa \\\n -in \/etc\/ssl\/mysql\/server-key.pem \\\n -out \/etc\/ssl\/mysql\/server-key-nopass.pem<\/code><\/pre>\n\n\n\n
    Update config:<\/p>\n\n\n\n
    wsrep_provider_options=\"gcache.size=128M;socket.ssl_key=\/etc\/ssl\/mysql\/server-key-nopass.pem;socket.ssl_cert=\/etc\/ssl\/mysql\/server-cert.pem;socket.ssl_ca=\/etc\/ssl\/mysql\/ca.pem\"<\/code><\/pre>\n\n\n\n
    \ud83d\udd01 Restart MariaDB<\/h4>\n\n\n\n
    systemctl daemon-reload\nsystemctl start mariadb<\/code><\/pre>\n\n\n\n
    Cek:<\/p>\n\n\n\n
    systemctl status mariadb<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    Tahap 3: Konfigurasi Galera Cluster<\/h2>\n\n\n\n
    Edit konfigurasi MariaDB:<\/p>\n\n\n\n
    sudo nano \/etc\/mysql\/mariadb.conf.d\/60-galera.cnf<\/code><\/pre>\n\n\n\n
    Contoh konfigurasi:<\/p>\n\n\n\n
    [galera]\nwsrep_on=ON\nwsrep_provider=\/usr\/lib\/galera\/libgalera_smm.so\nwsrep_cluster_name=\"ClusterDB\"\nwsrep_cluster_address=\"gcomm:\/\/172.20.0.215,172.20.0.216,172.20.0.217\"\n\nwsrep_node_name=\"Cluster-1\"         #Ubah Sesuai Node\/hostname\nwsrep_node_address=\"172.20.0.215\"   #Ubah IP Address nya sesuai dengan Node\n\nwsrep_sst_method=rsync\nbinlog_format=row\ndefault_storage_engine=InnoDB\ninnodb_autoinc_lock_mode=2\n\n# TLS\nwsrep_provider_options=\"socket.ssl_key=\/etc\/mysql\/ssl\/server.key;socket.ssl_cert=\/etc\/mysql\/ssl\/server.pem;socket.ssl_ca=\/etc\/mysql\/ssl\/ca.pem\"<\/code><\/pre>\n\n\n\n
    Sesuaikan wsrep_node_name=”Nama Node”<\/strong> dan wsrep_node_address=”IP Address”<\/strong> di setiap server\/node.<\/p>\n\n\n\n
    Untuk wsrep_cluster_name=”Nama Databases”<\/strong> isi saja sesuai kebutuhan dan di setiap server\/node wajib sama<\/p>\n\n\n\n
    Di wsrep_cluster_address=”gcomm:\/\/172.20.0.215,172.20.0.216,172.20.0.217″<\/strong> harus di isi Semua IP Address dari server\/node yang ingin di Cluster<\/strong>.<\/p>\n\n\n\n
    \n\n\n\n
    Tahap 4: Bootstrap Node Pertama<\/h2>\n\n\n\n
    Di node pertama saja<\/strong>:<\/p>\n\n\n\n
    systemctl stop mariadb\nrm -f \/var\/lib\/mysql\/grastate.dat\n\/usr\/bin\/galera_new_cluster<\/code><\/pre>\n\n\n\n
    Cek status cluster:<\/p>\n\n\n\n
    mysql -u root -p -e \"SHOW STATUS LIKE 'wsrep_cluster_size';\"<\/code><\/pre>\n\n\n\n
    +--------------------+-------+\n| Variable_name      | Value |\n+--------------------+-------+\n| wsrep_cluster_size |   1   |\n+--------------------+-------+<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    Tahap 5: Join Node Kedua & Ketiga<\/h2>\n\n\n\n
    Di node lain:<\/p>\n\n\n\n
    systemctl stop mariadb\nrm -f \/var\/lib\/mysql\/grastate.dat\nsystemctl start mariadb<\/code><\/pre>\n\n\n\n
    Pastikan node berhasil join:<\/p>\n\n\n\n
    mysql -u root -p -e \"SHOW STATUS LIKE 'wsrep_cluster_size';\"<\/code><\/pre>\n\n\n\n
    Status harus Synced<\/strong>.<\/p>\n\n\n\n
    Status Node 2:<\/p>\n\n\n\n
    +--------------------+-------+\n| Variable_name      | Value |\n+--------------------+-------+\n| wsrep_cluster_size |   2   |\n+--------------------+-------+<\/code><\/pre>\n\n\n\n
    Status Node 3:<\/p>\n\n\n\n
    +--------------------+-------+\n| Variable_name      | Value |\n+--------------------+-------+\n| wsrep_cluster_size |   3   |\n+--------------------+-------+<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    Tahap 6: Verifikasi Replikasi<\/h2>\n\n\n\n
    Tes sederhana:<\/p>\n\n\n\n
    CREATE DATABASE test_galera;<\/code><\/pre>\n\n\n\n
    Pastikan database tersebut muncul di node lain.<\/p>\n\n\n\n
    \n\n\n\n
    Troubleshooting Umum<\/h2>\n\n\n\n
    \ud83d\udd34 Service MariaDB gagal start<\/h3>\n\n\n\n
      \n
    • Periksa log:<\/li>\n<\/ul>\n\n\n\n
      journalctl -xeu mariadb<\/code><\/pre>\n\n\n\n
      \ud83d\udd34 Node tidak bisa join cluster<\/h3>\n\n\n\n
        \n
      • Pastikan port berikut terbuka:<\/li>\n\n\n\n
      • 3306<\/li>\n\n\n\n
      • 4444<\/li>\n\n\n\n
      • 4567<\/li>\n\n\n\n
      • 4568<\/li>\n<\/ul>\n\n\n\n
        \ud83d\udd34 TLS error<\/h3>\n\n\n\n
          \n
        • Pastikan permission file SSL:<\/li>\n<\/ul>\n\n\n\n
          chown mysql:mysql \/etc\/mysql\/ssl\/*\nchmod 600 \/etc\/mysql\/ssl\/*.key<\/code><\/pre>\n\n\n\n
          \n\n\n\n
          Keuntungan Menggunakan TLS di Galera<\/h2>\n\n\n\n
          \u2705 Data antar node terenkripsi
          \u2705 Aman di jaringan publik
          \u2705 Standar produksi & compliance
          \u2705 Mencegah sniffing dan MITM<\/p>\n\n\n\n
          \n\n\n\n
          Kesimpulan<\/h2>\n\n\n\n
          Dengan konfigurasi ini:<\/p>\n\n\n\n
            \n
          • Galera Cluster berjalan high availability<\/strong><\/li>\n\n\n\n
          • Replikasi data real-time<\/strong><\/li>\n\n\n\n
          • Komunikasi antar node terenkripsi TLS<\/strong><\/li>\n\n\n\n
          • Cocok untuk environment production<\/strong><\/li>\n<\/ul>\n\n\n\n
            \n","protected":false},"excerpt":{"rendered":"
            Dokumen ini membahas langkah demi langkah membangun MariaDB Galera Cluster yang aman menggunakan TLS\/SSL pada sistem Ubuntu 24.04. Cocok untuk kebutuhan high availability dan replikasi database real-time. Gambaran Arsitektur Cluster Contoh topologi yang digunakan: Node Hostname IP Address Node 1 Cluster-1 172.20.0.215 Node 2 Cluster-2 172.20.0.216 Node 3 Cluster-3 172.20.0.217 Semua node: Tahap 1: Instalasi […]<\/p>\n","protected":false},"author":1,"featured_media":136,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,18,16],"tags":[],"class_list":["post-81","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-ubuntu","category-ubuntu-24-04"],"_links":{"self":[{"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/posts\/81","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=81"}],"version-history":[{"count":7,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/posts\/81\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/posts\/81\/revisions\/135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=\/wp\/v2\/media\/136"}],"wp:attachment":[{"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=81"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=81"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abdullah.mablx.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=81"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}