MySQL ERROR 2026 (HY000): SSL connection error – Some Troubleshooting Ideas

I just spent a fair amount of time setting up MySQL replication between two servers encrypted by SSL (using MySQL 5.1.73).

I struggled with fixing a nasty error displayed only as ‘ERROR 2026 (HY000): SSL connection error‘.

In the following, I have collected a few possible strategies for resolving this error:

  • Is the password for the user on your server shorter than 36 characters?
  • Do the *.pem files on the server and client have the right file permissions?
  • Do your client and server certificates use a different COMMON NAME?
  • Have you tried a basic SSL setup with only certificate authority certificate (e.g. ca-cert.pem), server certificate (e.g. server-cert.pem) and server key (e.g. server-key.pem) (see). In theory, client certificates are not required for a basic setup.
  • Have you tested your certificates with a simple openssl HTTP server (see)?
  • Is your private key in the PKCS#1 format (file starts with ‘—–BEGIN RSA PRIVATE KEY—–‘)? (see, see)
  • Did you generate your certificates with TinyCA with the default settings?
  • Did you try connecting to the server WITHOUT using the certificate authority certificate (e.g. ca-cert.pem) BUT WITH specifying a client certificate and key?
    • mysql –ssl –ssl-cert=[client_cert] –ssl-key=[client_key] -u[ssluser] -h[server] -p[ssluser psw]
  • Is your certificate ‘simple enough’ for the MySQL SSL implementation e.g. not a chained certificate tree? (see) Or did you use a wildcard certificate (which are not supported) (see).

Good luck 🙂

Resources

One thought on “MySQL ERROR 2026 (HY000): SSL connection error – Some Troubleshooting Ideas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s