How do I resolve an "ERROR 2026 SSL connection" error when I connect to an Amazon RDS for a MySQL or Aurora DB instance?

4 minute read
0

I want to use SSL/TLS to connect to my Amazon Relational Database Service (Amazon RDS) MySQL DB instance or cluster. However, I receive the following error: “ERROR 2026 (HY000): SSL connection error.”

Resolution

Use the following troubleshooting steps to resolve the error that you receive.

Note: In the following example commands, the cluster endpoint is abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com. And the DB instance endpoint is abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com.

SSL certificate validation failure

To troubleshoot this error, first validate whether you use the cluster endpoint or the DB instance endpoint. For more information, see Amazon RDS for MySQL or Using SSL/TLS to encrypt a connection to a DB cluster.

If you use a client that supports Subject Alternative Names (SAN), then you can use only the cluster endpoint. If your client doesn't support SAN, then you must use the endpoint of the primary DB instance.

Note: The default MySQL command line client doesn't support SAN.

If you receive the SSL certificate validation error when you try to connect to the cluster endpoint, then connect to the primary DB instance's endpoint.

Example command that uses the cluster endpoint to connect:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

Example command that uses the DB instance endpoint to connect: 

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rglobal-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 26

Server doesn't support SSL

You receive this error when the server or engine version that you use doesn't support SSL/TLS. To resolve this error, migrate to an engine that supports SSL/TLS connections.

SSL_CTX_set_default_verify_paths failed

You receive this error when the certificate file doesn't exist, your file path is incorrect, or you don't have permissions to read the file. You can also receive this error when you don't have permissions to the directory that the certificate file is stored in. Make sure that the certificate file is in a directory that you have permissions to access.

Before you connect, confirm that you downloaded the correct certificate. When you're connecting, make sure that you're using the correct certificate identifier name and the correct path to the certificate. 

The global bundle certificate file is in the Downloads directory in an Amazon Elastic Compute Cloud (Amazon EC2) instance.

Example command that's using the incorrect path to the global bundle certificate to connect:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Note: In the preceding command, the connection string in the Home directory is used, but the global bundle certificate is in the Downloads directory.

Example command that's using the correct path to the global bundle certificate to connect:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca /home/ec2-user/Downloads/global-bundle.pem   
--ssl-mode=VERIFY_IDENTITY -u test -p test  
Enter password:  
Welcome to the MySQL monitor. Commands end with ; or \g.   
Your MySQL connection id is 26

Example command with insufficient permissions that's trying to connect to the DB instance:

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 700 global-bundle.pem 
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Example command with the correct permissions that's successfully connecting to the DB instance:

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 755 global-bundle.pem
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 810

SSL connection error: error:00000001:lib(0)::reason(1)

You receive this connection error in the following scenarios:

  • You use the incorrect certificate file.
  • The certificate file doesn't match the certificate that the RDS instance requires.
  • The MySQL client doesn't support the certificate identifier.

Note: For MySQL-compatible Aurora Serverless DB clusters, you must use MySQL 8.0-compatible commands.

Before you connect, confirm that you downloaded the correct certificate. When you're connecting, make sure that you're using the correct certificate identifier name and the correct path to the certificate. 

Example command with incorrect certificate that's trying to connect to the DB instance endpoint:

[ec2-user@ip-192-0-2-0 ~]$ mysql -habcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-ca-2019-root.pem --ssl-mode=VERIFY_IDENTITY -u test -p  
Enter password:   
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0)::reason(1)

Example command with correct certificate that's successfully connecting to the DB instance:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca  global-bundle.pem --ssl-mode=VERIFY_IDENTITY -u admin -p  
Enter password:   
Welcome to the MySQL monitor.  Commands end with ; or \g.

Related information

Using TLS/SSL with Aurora Serverless v1

AWS OFFICIAL
AWS OFFICIALUpdated 24 days ago
2 Comments

Please indicate where to obtain the latest current pem file. Another article suggests a new location, https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago