Cannot set up SSL for MySQL using only DO-provided CA certificate

Posted February 16, 2020 2.6k views
DigitalOcean Managed MySQL Database

I’m having a lot of trouble successfully setting up connections to the MySQL managed databases, and finding the usually very informative DO documentation and tutorials lacking in details.

The documentation notes that SSL connections are required to connect, and that you will need the provided CA certificate, a client certificate, and a client key to successfully establish SSL connections.


I’m able to remotely connect via CLI, and conduct all database options, import dumpfiles, drop databases, etc., without setting up any SSL settings. The connection string works whether or not I specify ssl-mode=required and without any reference to the certificate and keys which are supposed to be necessary.

Via Django

However, when trying to set up an existing Django project to connect to the managed database the connection is completely unsuccessful. The error message always indicates that it is unable to successfully establish an SSL connection - different from the CLI results.

Various sources have indicated how you can reference the necessary CA certificate, client certificate and client key to connect.

The cluster interface allows you to download the appropriate CA certificate only.

For generating the client certificate and key, DO’s documentation just points us to MySQL’s own docs for how to do this.

MySQL’s documentation (and a number of tutorials available on the web) all note that there are (2) methods possible:

  • use the mysqlsslrsa_setup utility, which only requires the CA certificate but which results in self-signed client certificates and keys, or
  • use openssl, which can generate client certificates signed with the CA certificate that the server is referencing, but only if you also have the server certificate and server key.

If I try to connect using the self-signed client certificates and keys, my connection is rejected and the cluster log references that they were self-signed, suggesting that you can’t use self-signed certificate and keys.

The alternate approach (openssl) is not available to me, as I don’t have access to the server’s certificate and key. DO’s own tutorial on doing so (for MySQL in general, not the managed databases) requires you to ssh into the server, which is not an option for the managed databases.

Any thoughts on how to proceed? I can set up a PostgreSQL managed database successfully, and connect immediately without any problems, but I would rather not go through the tedious process of converting a large number MySQL databases to PostgreSQL.

1 comment
  • I’m hitting this issue as well, but with setting up a custom pgbouncer server against a managed postgres instance (needs custom settings that the default DO pgbouncer pools don’t offer). Using openssl, I need both the cert and the key in order to generate a certificate that will be accepted.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

DigitalOcean gave me a clear answer on this problem whilst trying to get client certificates generated to connect Google Data Studio to thier managed MySQL:

“At the moment we only support MySQL 8 and It is not compatible with Google Data Studio.”

It’s unclear when or how they will support this.