Troubleshooting MySQL SSL Connection Issues with Self-Signed Certificates: Error 2026 (HY000) Analysis and Solutions


4 views

When trying to establish an SSL-secured MySQL connection using self-signed certificates, I encountered Error 2026 (HY000) with the cryptic message "SSL connection error: error:00000001:lib(0):func(0):reason(1)". Let me walk through the troubleshooting process and ultimate solution.

MySQL Server configuration in my.cnf:

[mysqld]
ssl-ca=/etc/ssl/mysql/ca.cert
ssl-cert=/etc/ssl/mysql/server.cert
ssl-key=/etc/ssl/mysql/server.key

The failed connection attempt:

mysql -u user -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
ERROR 2026 (HY000): SSL connection error

The key observations that helped identify the issue:

  1. Connection worked when omitting --ssl-ca parameter
  2. SSL verification wasn't occurring despite certificates being properly configured
  3. The error persisted across both local and remote connection attempts

After extensive testing, I discovered these critical points about MySQL's SSL implementation:

  • MySQL 5.5 has specific requirements for certificate chain validation
  • The Common Name (CN) in certificates must match exactly what's expected
  • Certificate permissions need to be properly set (typically 600 for key files)

Here's the complete working command with all parameters:

mysql -h db.example.com -u ssl_user -p \
  --ssl-mode=VERIFY_IDENTITY \
  --ssl-ca=/etc/ssl/mysql/ca.pem \
  --ssl-cert=/etc/ssl/mysql/client-cert.pem \
  --ssl-key=/etc/ssl/mysql/client-key.pem

Key differences from the initial attempt:

  1. Using --ssl-mode instead of deprecated --ssl=1
  2. Absolute paths to certificate files
  3. Proper file naming conventions (.pem instead of .cert)

For those creating new certificates, here's the proper OpenSSL command sequence:

# Generate CA
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca.pem

# Generate server certificate
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Generate client certificate
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

For production environments, consider these additional my.cnf settings:

[mysqld]
require_secure_transport=ON
ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
tls_version=TLSv1.2,TLSv1.3

After successful connection, verify SSL is active:

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+

When SSL connections fail:

  1. Verify file permissions (key files should be 600)
  2. Check certificate expiration dates
  3. Ensure Common Name matches the hostname
  4. Test with OpenSSL directly: openssl s_client -connect db.example.com:3306
  5. Review MySQL error logs for detailed SSL errors

When attempting to establish an SSL connection to MySQL 5.5.25 using self-signed certificates, you might encounter the generic "SSL connection error" message. This typically happens when the client cannot properly validate the server's certificate against the provided CA certificate.

mysql -u user -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Interestingly, the connection succeeds when omitting the --ssl-ca parameter, though this defeats the purpose of certificate verification:

mysql -h server -u user -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key

The primary issues usually stem from:

  • Certificate chain validation failures
  • Mismatched CN (Common Name) in certificates
  • Incorrect file permissions
  • MySQL version-specific SSL implementation quirks

First, verify your certificate chain is properly constructed:

openssl verify -CAfile ca.cert server.cert

For MySQL 5.5, you might need to explicitly specify the cipher suite:

mysql --ssl=1 --ssl-ca=ca.cert --ssl-cert=client.cert \
      --ssl-key=client.key --ssl-cipher=DHE-RSA-AES256-SHA

Ensure your my.cnf contains proper SSL directives:

[mysqld]
ssl-ca=/etc/ssl/mysql/ca.cert
ssl-cert=/etc/ssl/mysql/server.cert
ssl-key=/etc/ssl/mysql/server.key
ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

Enable MySQL SSL debugging:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/log/mysql/mysql-general.log';

Check SSL status after connection:

STATUS;
\s

Or specifically:

SHOW STATUS LIKE 'Ssl%';

If you must use self-signed certificates but want verification, consider:

mysql --ssl=1 --ssl-verify-server-cert \
      --ssl-ca=ca.cert --ssl-cert=client.cert --ssl-key=client.key