How can I resolve an ERROR 2026 SSL connection error when connecting to an Amazon RDS for MySQL or Aurora DB instance?

4 minute read
0

I'm trying to connect to my Amazon Relational Database Service (Amazon RDS) DB instance or cluster using Secure Sockets Layer (SSL). I received the following error: "ERROR 2026 (HY000): SSL connection error" How can I resolve ERROR 2026 for Amazon RDS for MySQL, Amazon Aurora for MySQL, or Amazon Aurora Serverless?

Short description

There are three different types of error messages for ERROR 2026:

  • ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
  • ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
  • ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

See the following troubleshooting steps for each error message.

Resolution

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

To troubleshoot this error, first validate whether you're using the cluster endpoint or the DB instance endpoint. To learn how Amazon RDS supports SSL, see Using SSL with a MySQL DB instance or Using SSL with Aurora MySQL DB clusters.

If you use a client that supports Subject Alternative Names (SAN), then you can use only the cluster endpoint. If your client doesn't support SAN, you must use the endpoint of the primary DB instance.

Note: The default MySQL command line client doesn't support SAN.

If you receive this error when trying to connect to the cluster endpoint, try connecting to the endpoint of the primary DB instance in the connection string. For example, you can connect to the cluster endpoint. In the following example, the cluster endpoint is abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com. The DB instance endpoint is abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com.

Connect using the cluster endpoint

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

Connect using the DB instance endpoint

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem 
--ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 26

ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL

You can receive this error if the server or engine version that you use doesn't support SSL. To resolve this error, migrate to an engine that supports SSL connections.

ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed or ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

You can receive this error if the certificate identifier (certificate file name) isn't correct. You can also receive this error if the certificate identifier isn't supported by the MySQL client, for example with Aurora Serverless. If you use Aurora Serverless clusters and you use the MySQL client to connect to Aurora Serverless, then you must use the MySQL 8.0-compatible MySQL commands.

Be sure to use the correct certificate identifier name and the correct path to the certificate to connect successfully. Before connecting, confirm that you have downloaded the correct certificate. For more information, see Using SSL to encrypt a connection to a DB instance.

The root certificate file is in the Downloads directory in an Amazon Elastic Compute Cloud (Amazon EC2) instance. In the following example, you enter the incorrect path, which results in ERROR 2026:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Note: This example uses the connection string in the home directory, but the root certificate is in the Downloads directory.

In the following example, you use the path to the root certificate to connect successfully:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca /home/ec2-user/Downloads/rds-combined-ca-bundle.pem 
--ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 26

You can also receive this error if you don't have permissions to the directory that the certificate is stored in. Be sure that the certificate is in a directory that you have permissions to access. See the following examples to connect with and without permissions:

Connecting with insufficient permissions

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 700 rds-combined-ca-bundle.pem 
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Connecting with the correct permissions

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 755 rds-combined-ca-bundle.pem
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 810

Related information

Using TLS/SSL with Aurora serverless

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago