MySQL error 2026 occurs when the SSL/TLS connection between client and server fails due to certificate issues, protocol version mismatches, or misconfiguration. This commonly affects database connections in applications and requires SSL certificate verification fixes.
Error 2026 (CR_SSL_CONNECTION_ERROR) is a MySQL connection error that occurs when the SSL/TLS layer fails to establish a secure connection between your client and the MySQL server. This can happen due to certificate validation failures, protocol version incompatibility, expired certificates, incorrect certificate paths, or mismatched SSL configurations between client and server. The error is thrown by the MySQL client library when it cannot negotiate a secure connection using the provided SSL parameters. This is a critical error because it completely prevents database connections when SSL is required, making it impossible for your application to authenticate and connect to the database.
Connect to your MySQL server and check if SSL is configured:
SHOW VARIABLES LIKE '%ssl%';You should see have_ssl set to YES. If SSL is not enabled on the server, enable it by adding SSL certificates to your MySQL configuration file (my.cnf or my.ini).
Verify that the SSL certificate files exist and are readable:
ls -l /path/to/ca.pem
ls -l /path/to/server-cert.pem
ls -l /path/to/server-key.pemEnsure the MySQL server has read permissions on these files. On Linux:
chmod 644 /path/to/ca.pem
chmod 644 /path/to/server-cert.pem
chmod 600 /path/to/server-key.pemCheck the expiration date of your SSL certificates:
openssl x509 -in /path/to/server-cert.pem -noout -datesIf the certificate has expired, generate new ones or renew them from your certificate authority. Update the paths in your MySQL configuration file accordingly.
For Node.js/JavaScript applications using mysql2:
const mysql = require('mysql2');
const fs = require('fs');
const connection = mysql.createConnection({
host: 'your-host',
user: 'your-user',
password: 'your-password',
ssl: {
ca: fs.readFileSync('/path/to/ca.pem')
}
});For other drivers, ensure you're providing the correct CA certificate path that matches what the server is using.
If using an old client, it may default to TLSv1.0 or TLSv1.1 which modern MySQL servers reject. Force TLS 1.2 or higher in your MySQL configuration (my.cnf):
[mysqld]
tls_version='TLSv1.2,TLSv1.3'For client connections in Node.js:
ssl: {
ca: fs.readFileSync('/path/to/ca.pem'),
minVersion: 'TLSv1.2'
}If using AWS RDS, download the correct regional certificate from AWS:
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pemThen use it in your connection:
ssl: {
ca: fs.readFileSync('./global-bundle.pem')
}If MySQL is compiled with YaSSL and certificates were created with newer OpenSSL, convert to PKCS#1 format:
openssl rsa -in server-key.pem -out server-key-pkcs1.pemUpdate my.cnf to use the converted key:
[mysqld]
ssl_key=/path/to/server-key-pkcs1.pemIf client and server certificates share the same common name, regenerate them with different names:
openssl req -x509 -newkey rsa:2048 -keyout server-key.pem -out server-cert.pem -days 365 -nodes -subj '/CN=mysql-server'
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 365 -nodes -subj '/CN=mysql-client'Update the paths in my.cnf and restart MySQL.
If using an outdated client library, upgrade to the latest version:
For npm packages:
npm update mysql2
# or
npm install --save mysql2@latestFor system packages on Linux:
sudo apt-get install -y mysql-client
# or
sudo yum install -y mysqlCertificate Format Issues: MySQL versions compiled with YaSSL (older versions or specific builds) require certificates in PKCS#1 format with '-----BEGIN RSA PRIVATE KEY-----' headers. Newer OpenSSL versions generate PKCS#8 format by default. If you see the error after upgrading OpenSSL, convert your private keys to PKCS#1 format.
Subject Alternative Names (SAN): When using cloud databases like AWS RDS, ensure your client supports SAN if you're using cluster endpoints. Older clients must use primary instance endpoints.
Certificate Chain: Some setups require the full certificate chain to be provided. If using intermediate certificates, ensure they're included in the CA bundle.
TLS Version Evolution: MySQL 8.0+ defaults to TLSv1.2 minimum. If your client is stuck on TLSv1.0 or TLSv1.1, upgrade the client library or explicitly allow newer protocols on the server (though this is a security trade-off).
Self-Signed Certificates: For development, you can use self-signed certificates but must either trust them in your client or disable verification with rejectUnauthorized: false (not recommended for production).
Firewall and Network: Even if SSL is configured correctly, firewalls may block port 3306 or interfere with SSL negotiation. Test with openssl s_client -connect host:3306 to verify connectivity.
EE_WRITE (3): Error writing file
How to fix "EE_WRITE (3): Error writing file" in MySQL
CR_PARAMS_NOT_BOUND (2031): No data supplied for parameters
How to fix "CR_PARAMS_NOT_BOUND (2031): No data supplied for parameters" in MySQL
CR_DNS_SRV_LOOKUP_FAILED (2070): DNS SRV lookup failed
How to fix "CR_DNS_SRV_LOOKUP_FAILED (2070): DNS SRV lookup failed" in MySQL
ERROR 1146: Table 'database.table' doesn't exist
How to fix "ERROR 1146: Table doesn't exist" in MySQL
ERROR 1040: Too many connections
How to fix "ERROR 1040: Too many connections" in MySQL