ERROR 2026 (HY000): TLS/SSL error: unable to get local issuer certificate

0

Hi, I'm attempting to set up an RDS MariaDB database to use with WordPress in the Malaysia region.

I'm using a db.t3.micro database class, and it's located in a private subnet within my VPC. I've set up a security group for the EC2 to connect to the database.

However, I'm unable to connect to the database with Putty and keep receiving this error: "ERROR 2026 (HY000): TLS/SSL error: unable to get local issuer certificate." I even tried disabling SSL, but that didn't solve the issue.

Thank you.

1 Answer
1

Hi!

It seems that the error you're encountering is related to the SSL/TLS configuration between your client (likely the EC2 instance) and the RDS MariaDB. This error typically occurs when the client cannot validate the server's certificate due to the absence of a local Certificate Authority (CA) certificate or incorrect configuration.

Here are some steps you can take to resolve this issue:

  1. Download the AWS CA Certificate: To connect to RDS MariaDB using SSL, you need to have the appropriate CA certificate. You can download the AWS CA certificate from this link. Make sure to select the correct certificate for the Malaysia region (AP-SOUTHEAST-1).

  2. Configure the Client to Use the Certificate: After downloading the certificate, you need to configure your client to use it. If you're using MySQL Workbench or another database client, there will be an option to specify the path to the CA certificate.

  3. Check RDS Configuration: Verify that the require_secure_transport parameter is set to ON in the RDS parameter group. If this parameter is set to ON, all connections to the database require SSL. If needed, you can temporarily set it to OFF for testing purposes, but this is not recommended for production due to security reasons.

  4. Check the Security Group: Ensure that the Security Group associated with your RDS allows inbound connections on port 3306 (or another configured port) from the Security Group associated with your EC2 instance.

  5. Configure the EC2 Instance: If you're trying to connect to RDS from an EC2 instance using SSH and tunneling, make sure the SSH tunnel is correctly set up and that the SSL connection is being established through that tunnel.

  6. Update Operating System Certificates: Ensure that the EC2 instance has up-to-date CA certificates. On Linux-based systems, you can update the certificates using commands like sudo update-ca-certificates.

Note: Disabling SSL is not recommended, especially in production environments, as SSL protects the integrity and confidentiality of the data transmitted between the client and server.

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions