Unable to connect to MySQL DB that requires SSL

Hello!

I am attempting to connect to a Azure Database for MySQL which requires a secure connection. Looking at the Diesel documentation, an SSL mode and cert can be specified in the connection string. However, given my configuration, I am unable to connect (details below).

Connection string:

DATABASE_URL=mysql://username:password@hostname:3306/dbname?ssl_mode=REQUIRED&ssl_ca=/mounted/path/to/cert/DigiCertGlobalRootG2.crt.pem

Upon starting the App Service, the following error appears:

Error creating database pool: DieselCon.
BadConnection("TLS/SSL error: self-signed certificate in certificate chain",)

I am not sure if I have misinterpreted the requirements of the connection string (their documentation has an asterisk * showing after SSL_MODE?), if the *.crt.pem file is in the right format for this use, or if this is a supported feature.

Any help here would be appreciated!

Try without the ssl_ca

Thanks @BlackDex, I tried this but got a new error.

New connection string:

DATABASE_URL=mysql://username:password@hostname:3306/dbname?ssl_mode=REQUIRED

New error:

BadConnection("Connections using insecure transport are prohibited while --require_secure_transport=ON.",)

Any hints on what else to try would be great.

After struggling with this as well, I dug a bit in the docs and issues of the diesel library. At first, I thought it would be this bug, not correctly passing on the parameters:

But the newer versions of Vaultwarden include this fix, and it still didn’t work for me with 1.32.0.

In the end, I got it working with this URL:

DATABASE_URL=mysql://user:password@hostname:3306/database?ssl_mode=VERIFY_IDENTITY&ssl_ca=/etc/ssl/certs/ISRG_Root_X1.pem

Setting require_secure_transport = on alone still caused Access denied errors. Those could be solved, by requiring SSL for the specific user: Securing Connections for Client and Server - MariaDB Knowledge Base (I’m working with MariaDB 10.11)

But…

I believe there is still something odd about the database connection: Using the same database URL as above, but disabling SSL support at the database (including require_secure_transport = off) and also setting REQUIRE NONE for the user, connects just fine. ssl_mode=VERIFY_IDENTITY left me under the impression, that a valid and matching certificate must be presented.