MySQL TLS/SSL error: self-signed certificate in certificate chain #6202

New Issue

Closed

opened 2026-03-07 20:54:13 -06:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-03-07 20:54:13 -06:00

Owner

Copy Link

Originally created by @adminpass on GitHub (Mar 6, 2026).

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

export DATABASE_URL=mysql://root:pass@10.0.1.11:3306/vaultwarden
export DATABASE_MIN_CONNS=2
export DATABASE_MAX_CONNS=5

and DATABASE_URL=mysql://root:pass@10.0.1.11:3306/vaultwarden?ssl_mode=DISABLED

[2026-03-06 10:00:05.237][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon.
[CAUSE] BadConnection(
"TLS/SSL error: self-signed certificate in certificate chain",
)

Vaultwarden Build Version

v1.35.4

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

alpine 3.24

Clients

Web Vault

Client Version

No response

Steps To Reproduce

↑

Expected Result

mysql TLS/SSL error

Actual Result

mysql TLS/SSL error

Logs

[2026-03-06 10:00:05.237][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon.
[CAUSE] BadConnection(
    "TLS/SSL error: self-signed certificate in certificate chain",
)

Screenshots or Videos

No response

Additional Context

No response

Originally created by @adminpass on GitHub (Mar 6, 2026). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ```ini export DATABASE_URL=mysql://root:pass@10.0.1.11:3306/vaultwarden export DATABASE_MIN_CONNS=2 export DATABASE_MAX_CONNS=5 ``` and DATABASE_URL=mysql://root:pass@10.0.1.11:3306/vaultwarden?**ssl_mode=DISABLED** [2026-03-06 10:00:05.237][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon. [CAUSE] BadConnection( "TLS/SSL error: self-signed certificate in certificate chain", ) ### Vaultwarden Build Version v1.35.4 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx ### Host/Server Operating System Linux ### Operating System Version alpine 3.24 ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce ↑ ### Expected Result mysql TLS/SSL error ### Actual Result mysql TLS/SSL error ### Logs ```text [2026-03-06 10:00:05.237][vaultwarden::util][WARN] Can't connect to database, retrying: DieselCon. [CAUSE] BadConnection( "TLS/SSL error: self-signed certificate in certificate chain", ) ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

GiteaMirror added the bug label 2026-03-07 20:54:13 -06:00

GiteaMirror closed this issue 2026-03-07 20:54:13 -06:00

GiteaMirror commented 2026-03-07 20:54:14 -06:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Mar 6, 2026):

Not a bug but you are missing some configuration. Cf. https://docs.diesel.rs/main/diesel/mysql/struct.MysqlConnection.html#method.establish (and the linked mysql docs) for more information how to configure an encrypted mysql connection.

@stefan0xC commented on GitHub (Mar 6, 2026): Not a bug but you are missing some configuration. Cf. https://docs.diesel.rs/main/diesel/mysql/struct.MysqlConnection.html#method.establish (and the linked mysql docs) for more information how to configure an encrypted mysql connection.

GiteaMirror commented 2026-03-07 20:54:14 -06:00

Author

Owner

Copy Link

@adminpass commented on GitHub (Mar 6, 2026):

I found the reason!

Alpine 3.22 -> mariadb-connector-c-3.3.10-r0

Alpine 3.23+ -> mariadb-connector-c-3.4.6-r0

1. Behavior in Version 3.3.x (Old)

• Default Logic: If the connection string did not explicitly request SSL, or if ssl_mode=DISABLED was set, the connector would completely bypass SSL, establishing a plain text connection immediately.
• Forgiveness: It was highly tolerant. Even if the server supported SSL, the client would not attempt a handshake unless explicitly forced, preventing certificate validation errors in self-hosted environments without valid CA certificates.

2. Behavior in Version 3.4.x (New - Alpine 3.24)

• Default Logic Change: To enforce security, version 3.4+ changed the implicit default behavior. Even if you specify ssl_mode=DISABLED in the URL, the underlying C library (especially when called via Rust bindings like mysql_async) may ignore this flag or prioritize a PREFERRED state.
• The Consequence:
  • The client attempts to initiate an SSL/TLS handshake automatically.
  • Since your self-hosted MariaDB likely uses a self-signed certificate or no certificate at all, the handshake fails because the client cannot verify the server's identity.
  • Result: You see errors like:
    • error: "Peer certificate cannot be authenticated with given CA certificates"
    • error: "TLS/SSL connection required but not configured"
    • error: "SSL connection error: unknown error number"

@adminpass commented on GitHub (Mar 6, 2026): I found the reason! Alpine 3.22 -> **mariadb-connector-c-3.3.10-r0** Alpine 3.23+ -> **mariadb-connector-c-3.4.6-r0** ### 1. Behavior in Version 3.3.x (Old) - Default Logic: If the connection string did not explicitly request SSL, or if ssl_mode=DISABLED was set, the connector would completely bypass SSL, establishing a plain text connection immediately. - Forgiveness: It was highly tolerant. Even if the server supported SSL, the client would not attempt a handshake unless explicitly forced, preventing certificate validation errors in self-hosted environments without valid CA certificates. ### 2. Behavior in Version 3.4.x (New - Alpine 3.24) - Default Logic Change: To enforce security, version 3.4+ changed the implicit default behavior. Even if you specify ssl_mode=DISABLED in the URL, the underlying C library (especially when called via Rust bindings like mysql_async) may ignore this flag or prioritize a PREFERRED state. - The Consequence: - The client attempts to initiate an SSL/TLS handshake automatically. - Since your self-hosted MariaDB likely uses a self-signed certificate or no certificate at all, the handshake fails because the client cannot verify the server's identity. - Result: You see errors like: - error: "Peer certificate cannot be authenticated with given CA certificates" - error: "TLS/SSL connection required but not configured" - error: "SSL connection error: unknown error number"

GiteaMirror referenced this issue 2026-03-07 21:16:32 -06:00

[PR #6202] feat: Add comprehensive Prometheus metrics support #7379

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#6202