Skip to main content

Tutorial: Set Up an SSL Connection to Azure Flexible MySQL Server

Abstract

Create an encrypted connection from Access Server to MySQL or Azure Flexible MySQL Servers with the steps shown here.

Overview

With Access Server 2.9.0 and newer, you can make an encrypted connection to MySQL or Azure Flexible MySQL Servers.

You can configure one of three available modes for your database connection:

  1. Disabled: No SSL.

  2. Preferred: Create an SSL connection, but fallback to insecure if SSL isn't supported or can't be established. (This is the default behavior.)

  3. Required: The database connection is dropped if the certificate check fails.

Prerequisites

  1. Download the Microsoft RSA Root Certificate Authority 2017 Root Certificate:

    curl -sS https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt >> MicrosoftRSARootCertificateAuthority2017.crt
  2. Convert the Microsoft RSA Root Certificate Authority 2017 Root Certificate to PEM format:

    openssl x509 -inform der -in 'MicrosoftRSARootCertificateAuthority2017.crt' -out MicrosoftRSARootCertificateAuthority2017.crt.pem
  3. Download the DigiCert Global Root CA Root Certificate and add it to the certificate bundle file called the combined-ca-certificates.pem:

    curl -sS https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem >> combined-ca-certificates.pem
  4. Download the DigiCert Global Root G2 Root Certificate and add it to the certificate bundle file called the combined-ca-certificates.pem:

    curl -sS https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem >> combined-ca-certificates.pem
  5. Add the Microsoft RSA Root Certificate Authority 2017 Root Certificate (Already converted to PEM Format) to the certificate bundle file called the combined-ca-certificates.pem:

    cat MicrosoftRSARootCertificateAuthority2017.crt.pem >> combined-ca-certificates.pem
  6. Move the combined-ca-certificates.pem file to /etc/ssl/certs/ directory:

    mv combined-ca-certificates.pem /etc/ssl/certs/
  7. Configure these files for establishing a connection to the database server and define SSL mode by running these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:

    ./sacli --key "mysql.ssl_ca_cert" --value '/etc/ssl/certs/combined-ca-certificates.pem' ConfigPut
    ./sacli --key "mysql.ssl_mode" --value "PREFERRED" ConfigPut
  8. Restart the Access Server service:

    systemctl restart openvpnas

    Note

    Restarting the openvpnas service also forces all VPN connections to reconnect.

    Important

    After September 1, 2025, Azure changed the Root Certificate (DigiCert Global Root CA) they used for their current MySQL Flexible Server, and now they are using two:

    1. DigiCert Global Root G2

    2. Microsoft RSA Root Certificate Authority 2017

    For more info:

    Meaning, if you have an existing Access Server connected to an Azure MySQL Flexible Server for Cluster or Pseudo Cluster via SSL, it might fail.

    The error is similar to this:

    'sqlalchemy.exc.OperationalError: (mariadb.OperationalError) TLS/SSL error: self-signed certificate in certificate chain

    The solution is to upload the Azure Flexible MySQL Server certificate bundle file (combined-ca-certificates.pem) as explained in this tutorial. However, the sacli commands won't work, so you must use these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:

    ./confdba -t -mk "mysql.ssl_ca_cert" -v "/etc/ssl/certs/combined-ca-certificates.pem" 
    systemctl restart openvpnas