Tutorial: Set Up an SSL Connection to Azure Flexible MySQL Server
Create an encrypted connection from Access Server to MySQL or Azure Flexible MySQL Servers with the steps shown here.
Overview
With Access Server 2.9.0 and newer, you can make an encrypted connection to MySQL or Azure Flexible MySQL Servers.
You can configure one of three available modes for your database connection:
Disabled: No SSL.
Preferred: Create an SSL connection, but fallback to insecure if SSL isn't supported or can't be established. (This is the default behavior.)
Required: The database connection is dropped if the certificate check fails.
Prerequisites
An installed Access Server using a database server for the configuration files.
Root access to the Access Server console.
Root access to the database server.
Download the Microsoft RSA Root Certificate Authority 2017 Root Certificate:
curl -sS https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt >> MicrosoftRSARootCertificateAuthority2017.crt
Convert the Microsoft RSA Root Certificate Authority 2017 Root Certificate to PEM format:
openssl x509 -inform der -in 'MicrosoftRSARootCertificateAuthority2017.crt' -out MicrosoftRSARootCertificateAuthority2017.crt.pem
Download the DigiCert Global Root CA Root Certificate and add it to the certificate bundle file called the
combined-ca-certificates.pem
:curl -sS https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem >> combined-ca-certificates.pem
Download the DigiCert Global Root G2 Root Certificate and add it to the certificate bundle file called the
combined-ca-certificates.pem
:curl -sS https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem >> combined-ca-certificates.pem
Add the Microsoft RSA Root Certificate Authority 2017 Root Certificate (Already converted to PEM Format) to the certificate bundle file called the
combined-ca-certificates.pem
:cat MicrosoftRSARootCertificateAuthority2017.crt.pem >> combined-ca-certificates.pem
Move the
combined-ca-certificates.pem
file to /etc/ssl/certs/ directory:mv combined-ca-certificates.pem /etc/ssl/certs/
Configure these files for establishing a connection to the database server and define SSL mode by running these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:
./sacli --key "mysql.ssl_ca_cert" --value '/etc/ssl/certs/combined-ca-certificates.pem' ConfigPut ./sacli --key "mysql.ssl_mode" --value "PREFERRED" ConfigPut
Restart the Access Server service:
systemctl restart openvpnas
Note
Restarting the
openvpnas
service also forces all VPN connections to reconnect.Important
After September 1, 2025, Azure changed the Root Certificate (DigiCert Global Root CA) they used for their current MySQL Flexible Server, and now they are using two:
DigiCert Global Root G2
Microsoft RSA Root Certificate Authority 2017
For more info:
Meaning, if you have an existing Access Server connected to an Azure MySQL Flexible Server for Cluster or Pseudo Cluster via SSL, it might fail.
The error is similar to this:
'sqlalchemy.exc.OperationalError: (mariadb.OperationalError) TLS/SSL error: self-signed certificate in certificate chain
The solution is to upload the Azure Flexible MySQL Server certificate bundle file (
combined-ca-certificates.pem
) as explained in this tutorial. However, the sacli commands won't work, so you must use these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:./confdba -t -mk "mysql.ssl_ca_cert" -v "/etc/ssl/certs/combined-ca-certificates.pem" systemctl restart openvpnas