📋

Description

This error signifies a problem establishing a secure (SSL/TLS) connection between your MySQL client and the MySQL server. It typically occurs when there's a mismatch in SSL configurations, invalid certificates, or network issues preventing a secure handshake.

💬

Error Message

SSL error: %s.

🔍

Known Causes

4 known causes

⚠️

Mismatched SSL Configuration

The client and server SSL/TLS settings, such as required ciphers or protocol versions, do not align, preventing a successful handshake.

⚠️

Invalid or Missing SSL Certificates

The client or server is using an expired, revoked, malformed, or untrusted SSL certificate or key file.

⚠️

Incorrect Client SSL Parameters

The client application is attempting to connect with incorrect or missing SSL options, such as specifying an invalid CA certificate path.

⚠️

Network or Firewall Blocking

A firewall or network configuration is preventing the necessary ports or protocols for SSL communication from being established.

🛠️

Solutions

4 solutions available

1. Verify SSL Certificate Validity and Configuration medium

Ensure your MySQL server's SSL certificates are valid, correctly installed, and that the server is configured to use them.

1

Check the expiration date of your SSL certificate and any intermediate certificates on the MySQL server. Expired certificates will cause connection failures.

openssl x509 -in /path/to/your/server-cert.pem -noout -dates

2

Verify that the paths to the `ssl_cert`, `ssl_key`, and `ssl_ca` (if applicable) files in your MySQL configuration file (`my.cnf` or `my.ini`) are correct and that the files exist.

[mysqld]
ssl_cert = /path/to/your/server-cert.pem
ssl_key = /path/to/your/server-key.pem
ssl_ca = /path/to/your/ca.pem

3

Ensure the MySQL server process has read permissions for the SSL certificate and key files. The user running the MySQL server needs access.

sudo chown mysql:mysql /path/to/your/server-cert.pem /path/to/your/server-key.pem
sudo chmod 600 /path/to/your/server-key.pem
sudo chmod 644 /path/to/your/server-cert.pem

4

Restart the MySQL server after making any configuration changes to apply them.

sudo systemctl restart mysql

2. Check Client-Side SSL Configuration and Trust medium

Confirm that the client application or tool is configured to use SSL and trusts the server's certificate or CA.

1

When connecting from a client, ensure you are explicitly enabling SSL. The exact parameter depends on the client library or tool.

mysql --ssl-mode=REQUIRED --ssl-ca=/path/to/your/ca.pem -h your_mysql_host -u your_user -p

2

If the server uses a self-signed certificate or a certificate signed by a private CA, the client must be configured to trust that CA. Provide the path to the CA certificate (`ssl_ca`) to the client.

mysql --ssl-ca=/path/to/your/ca.pem ...

3

If you are using a common public CA, ensure your client system's trust store is up-to-date. Otherwise, the client might not trust the server's certificate.

On Debian/Ubuntu: sudo apt update && sudo apt upgrade ca-certificates
On CentOS/RHEL: sudo yum update ca-certificates

4

For some applications, you might need to specify client certificates and keys if the server requires client authentication.

mysql --ssl-cert=/path/to/your/client-cert.pem --ssl-key=/path/to/your/client-key.pem ...

3. Inspect Network Connectivity and Firewall Rules easy

Verify that network paths are open and that no firewalls are blocking SSL/TLS traffic to the MySQL server.

1

Ensure that the MySQL port (default 3306) is open on the server's firewall. SSL traffic uses the same port.

sudo ufw allow 3306/tcp
sudo firewall-cmd --permanent --add-port=3306/tcp && sudo firewall-cmd --reload

2

If there are intermediate firewalls or network ACLs between the client and server, verify that they also permit traffic on the MySQL port.

N/A (Requires network infrastructure access)

3

Use `telnet` or `nc` to check basic TCP connectivity to the MySQL port on the server from the client machine.

telnet your_mysql_host 3306
nc -vz your_mysql_host 3306

4

If SSL is configured on a different port than the default (e.g., 3307), ensure that specific port is open and accessible.

N/A (Requires checking MySQL server configuration for `port` and `ssl_port` directives)

4. Review MySQL Server and Client Logs for Detailed Errors medium

Examine the MySQL error logs and client-side connection logs for more specific SSL error messages.

1

Locate and review the MySQL server's error log file. The location varies by OS and installation method, often found in `/var/log/mysql/error.log` or within the MySQL data directory.

sudo tail -f /var/log/mysql/error.log

2

Look for messages related to SSL initialization, certificate loading, or connection attempts that coincide with the client's failure.

Example log entries might include:
'SSL error: Certificate is not valid'
'SSL error: unable to load CA certificate'
'SSL error: private key file is not readable'

3

If your client application provides its own logging, check those logs for more granular SSL error details. This is especially true for custom applications using specific MySQL connectors (e.g., Python's `mysql.connector`, Node.js's `mysql` package).

Consult the documentation for your specific client library for log file locations and configuration.

4

Increase the MySQL server's `log_error_verbosity` setting if needed for more detailed SSL debugging. Restart the server after changing this setting.

SET GLOBAL log_error_verbosity = 3; -- Restart MySQL after changing

🔗

Related Errors

5 related errors

MySQL Error 60: SSL Connection Failure