I want to use SSL/TLS to connect to my Amazon Relational Database Service (Amazon RDS) MySQL DB instance or cluster. However, I receive the following error: “ERROR 2026 (HY000): SSL connection error.”
Resolution
Use the following troubleshooting steps to resolve the error that you receive.
Note: In the following example commands, the cluster endpoint is abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com. And the DB instance endpoint is abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com.
SSL certificate validation failure
To troubleshoot this error, first validate whether you use the cluster endpoint or the DB instance endpoint. For more information, see Amazon RDS for MySQL or Using SSL/TLS to encrypt a connection to a DB cluster.
If you use a client that supports Subject Alternative Names (SAN), then you can use only the cluster endpoint. If your client doesn't support SAN, then you must use the endpoint of the primary DB instance.
Note: The default MySQL command line client doesn't support SAN.
If you receive the SSL certificate validation error when you try to connect to the cluster endpoint, then connect to the primary DB instance's endpoint.
Example command that uses the cluster endpoint to connect:
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
Example command that uses the DB instance endpoint to connect:
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rglobal-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Server doesn't support SSL
You receive this error when the server or engine version that you use doesn't support SSL/TLS. To resolve this error, migrate to an engine that supports SSL/TLS connections.
SSL_CTX_set_default_verify_paths failed
You receive this error when the certificate file doesn't exist, your file path is incorrect, or you don't have permissions to read the file. You can also receive this error when you don't have permissions to the directory that the certificate file is stored in. Make sure that the certificate file is in a directory that you have permissions to access.
Before you connect, confirm that you downloaded the correct certificate. When you're connecting, make sure that you're using the correct certificate identifier name and the correct path to the certificate.
The global bundle certificate file is in the Downloads directory in an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Example command that's using the incorrect path to the global bundle certificate to connect:
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
Note: In the preceding command, the connection string in the Home directory is used, but the global bundle certificate is in the Downloads directory.
Example command that's using the correct path to the global bundle certificate to connect:
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca /home/ec2-user/Downloads/global-bundle.pem
--ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Example command with insufficient permissions that's trying to connect to the DB instance:
[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 700 global-bundle.pem
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
Example command with the correct permissions that's successfully connecting to the DB instance:
[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 755 global-bundle.pem
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 810
SSL connection error: error:00000001:lib(0)::reason(1)
You receive this connection error in the following scenarios:
- You use the incorrect certificate file.
- The certificate file doesn't match the certificate that the RDS instance requires.
- The MySQL client doesn't support the certificate identifier.
Note: For MySQL-compatible Aurora Serverless DB clusters, you must use MySQL 8.0-compatible commands.
Before you connect, confirm that you downloaded the correct certificate. When you're connecting, make sure that you're using the correct certificate identifier name and the correct path to the certificate.
Example command with incorrect certificate that's trying to connect to the DB instance endpoint:
[ec2-user@ip-192-0-2-0 ~]$ mysql -habcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-ca-2019-root.pem --ssl-mode=VERIFY_IDENTITY -u test -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0)::reason(1)
Example command with correct certificate that's successfully connecting to the DB instance:
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u admin -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Related information
Using TLS/SSL with Aurora Serverless v1