MySQL EE_SSL_ERROR (60) indicates a failed SSL/TLS handshake between client and server. This typically results from certificate validation failures, permission issues, or TLS version mismatches. Fixing it involves verifying certificates, adjusting permissions, and reloading TLS configuration.
EE_SSL_ERROR (error 60) is a MySQL SSL/TLS handshake failure that occurs when the client and server cannot establish a secure connection. This error was introduced in MySQL 8.0.13 and signals that MySQL's underlying OpenSSL layer detected a certificate, key, or protocol problem serious enough to abort the secure channel. The error indicates that either the server certificate is invalid, expired, or untrusted, or there is a mismatch between client and server TLS configurations.
Connect to your MySQL server and check if SSL support is enabled:
SHOW VARIABLES LIKE 'have_ssl';The result should show "YES" for the value. If it shows "NO", SSL is not compiled into your MySQL installation and you'll need to rebuild MySQL with SSL support or use a pre-built version that includes it.
MySQL needs read access to the SSL certificate files. Verify permissions on the server:
ls -la /path/to/mysql/ssl/Certificates should be readable by the MySQL user (typically "mysql" or "mysqld"). Set proper permissions:
chmod 644 /path/to/mysql/ssl/ca-cert.pem
chmod 644 /path/to/mysql/ssl/server-cert.pem
chmod 600 /path/to/mysql/ssl/server-key.pem
chown mysql:mysql /path/to/mysql/ssl/*Private keys must be readable only by the MySQL user (600 permissions).
Test that your certificates are properly signed and valid:
openssl verify -CAfile ca-cert.pem server-cert.pemIf using client certificates, also verify:
openssl verify -CAfile ca-cert.pem client-cert.pemBoth commands should return "OK". If you see certificate validation errors, your certificates may be self-signed improperly or missing the complete certificate chain.
If using certificates from a certificate authority (like Let's Encrypt), ensure you have the complete chain. The CA certificate file should contain all intermediate certificates in the chain:
cat intermediate-ca.pem root-ca.pem > ca-chain.pemWhen connecting with clients, point to the complete chain file. For self-signed certificates, ensure the single CA certificate is used consistently on both client and server.
For MySQL 8.0.16 and later, reload certificates and keys without restarting the server:
ALTER INSTANCE RELOAD TLS;This command refreshes the SSL configuration in-place. For older MySQL versions, you must restart mysqld:
sudo systemctl restart mysqlOr on systems using service:
sudo service mysql restartWhen connecting from a client, ensure the SSL mode and certificate paths match the server configuration:
mysql --ssl-mode=REQUIRED \\
--ssl-ca=/path/to/ca-cert.pem \\
--ssl-cert=/path/to/client-cert.pem \\
--ssl-key=/path/to/client-key.pem \\
-h mysql-server.example.com -u username -pFor applications, configure the connection string or connection options accordingly. The --ssl-mode can be:
- REQUIRED: Connection must use SSL
- VERIFY_CA: SSL required, verify server CA
- VERIFY_IDENTITY: SSL required, verify CA and hostname match
SSL/TLS certificate validation includes timestamp checks. Ensure both client and server systems have synchronized clocks:
date
timedatectl status # On systemd systemsIf clocks are out of sync, synchronize them using NTP:
sudo timedatectl set-ntp true # On systemd
sudo ntpq -p # Check NTP statusCertificates become invalid if the server time is before the certificate's "not before" date or after the "not after" date.
For Docker or Kubernetes deployments, certificate and key files are often mounted as secrets with root-only permissions. Ensure the MySQL container or pod runs with appropriate permissions or mounts the secrets with readable permissions (e.g., using defaultMode: 0644 in Kubernetes). Load balancers or proxies that intercept TLS require either certificate pass-through mode or matching certificates installed on the proxy layer. For development with self-signed certificates, you can temporarily use --ssl-mode=SKIP_VERIFY (if supported by your client library) or --ssl-mode=DISABLED on the client side, but this exposes credentials in plaintext and should never be used in production. Some MySQL clients have extended key usage (extendedKeyUsage) extension requirements—ensure client certificates specify clientAuth if the CN mismatch still occurs after verifying basic configuration.
EE_WRITE (3): Error writing file
How to fix "EE_WRITE (3): Error writing file" in MySQL
CR_PARAMS_NOT_BOUND (2031): No data supplied for parameters
How to fix "CR_PARAMS_NOT_BOUND (2031): No data supplied for parameters" in MySQL
CR_DNS_SRV_LOOKUP_FAILED (2070): DNS SRV lookup failed
How to fix "CR_DNS_SRV_LOOKUP_FAILED (2070): DNS SRV lookup failed" in MySQL
ERROR 1146: Table 'database.table' doesn't exist
How to fix "ERROR 1146: Table doesn't exist" in MySQL
ERROR 1040: Too many connections
How to fix "ERROR 1040: Too many connections" in MySQL