Certificate verify failed with new rds-ca-rsa2048-g1 CA


I modified my RDS instance and changed the certificate authority from rds-ca-2019 to rds-ca-rsa2048-g1 as the former will expire in 2024. However I get a SSL routines::certificate verify failed in all of my clients (php8.1-mysql, nagios check_mysql plugin). If I revert to rds-ca-2019, everything works again. The istance is a MySQL Community v.8.0.34 and I'm using the global-bundle.pem certificate. Thanks for your help.

asked 9 months ago3831 views
3 Answers

As far as I understand, you followed the documentation for rotate your certificates. There is a link where you can find global certificate bundles and per-region.

I have several ideas what could go wrong:

  1. You have your, previously downloaded, global bundle and need to download a new one, compare them and replace if needed.
  2. You are not using your .pem file as an argument for mysql connection but using a system wide certs. In the case you need follow the instruction for your OS how to update re-generate certificates globally.
profile picture
answered 9 months ago
Accepted Answer

I did a couple of test and I can now connect to the database server with the new CA through nagios check_mysql plugin, php8.1-mysql and mysql client. They weren't using the new pem certificate. However, the problem is still there in Laravel, but I'm now asking the Laravel community since AWS RDS is working right. Thanks for your help.

P.S: In laravel, I solved the connection problem with PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => 'false'

answered 9 months ago


I'm using the latest global-bundle.pem certificate and I verified it comparing it with the one from your link. It's where I downloaded it.

I'm also using the .pem file as an argument in all mysql connections. Two days ago I changed my connection string from rds-combined-ca-bundle.pem to global-bundle.pem and verified that the SSL connection was working as usual.

At the moment, I have no SSL routines::certificate verify failed error in my connection and I'm using the latest global-bundle.pem certificate. It's on the server that I had to go back to rds-ca-2019 certificate authority.

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions