I'm trying to connect to my Amazon Relational Database Service (Amazon RDS) instance or cluster using Secure Sockets Layer (SSL). But I received the following error:

"ERROR 2026 (HY000): SSL connection error"

How can I resolve ERROR 2026 for Amazon RDS for MySQL, Amazon Aurora for MySQL, or Amazon Aurora Serverless?

There are three different types of error messages for ERROR 2026:

  • ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
  • ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
  • ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

See the following troubleshooting steps for each error message.

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

To troubleshoot this error, first validate whether you're using the cluster endpoint or the instance endpoint. To learn how Amazon RDS supports SSL, see Using SSL with a MySQL DB Instance or Using SSL with Aurora MySQL DB Clusters.

If you use a client that supports Subject Alternative Names (SAN), then you can use only the cluster endpoint. If your client doesn't support SAN, you must use the endpoint of the primary instance.

Note: The default MySQL command line client doesn't support SAN.

If you receive this error when trying to connect to the cluster endpoint, try connecting to the endpoint of the primary instance in the connection string. For example, you can connect to the cluster endpoint. In the following example, the cluster endpoint is abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com. The instance endpoint is abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com.

Connecting using the cluster endpoint:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

Connecting using the instance endpoint: 

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem 
--ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 26 

ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL

You can receive this error if the server or engine version that you use doesn't support SSL. To resolve this error, migrate to an engine that supports SSL connections.

ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed or ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

You can receive this error if the certificate identifier (certificate file name) isn't correct. You can also receive this error if the certificate identifier isn't supported by the MySQL client, for example with Aurora Serverless. If you use Aurora Serverless clusters and you use the MySQL client to connect to Aurora Serverless, then you must use the MySQL 8.0-compatible MySQL commands.

Be sure to use the correct certificate identifier name and the correct path to the certificate to connect successfully. Before connecting, confirm that you have downloaded the correct certificate. For more information, see Using SSL to Encrypt a Connection to a DB Instance.

The root certificate file is in the Downloads directory in an Amazon Elastic Compute Cloud (Amazon EC2) instance. In the following example, the incorrect path is given, which results in ERROR 2026:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Note: This example uses the connection string in the home directory, but the root certificate is in the Downloads directory.

In the following example, the path to the root certificate is used to connect successfully:

[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-clust.cluster-xxxx.us-east-1.rds.amazonaws.com --ssl-ca /home/ec2-user/Downloads/rds-combined-ca-bundle.pem 
--ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 26 

You can also receive this error if you don't have permissions to the directory that the certificate is stored in. Be sure that the certificate is in a directory that you have permissions to access. See the following examples of connecting with and without permissions:

Connecting with insufficient permissions:

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 700 rds-combined-ca-bundle.pem 
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

Connecting with the correct permissions: 

[ec2-user@ip-192-0-2-0 ~]$ sudo chmod 755 rds-combined-ca-bundle.pem                 
[ec2-user@ip-192-0-2-0 ~]$ mysql -h abcdefg-inst.xxxx.us-east-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u test -p test
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 810

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-25