Connecting from php app to ssl mysql

[TheRebellion]

I am attempting to create a connection to my database that I have set up with SSL. It is saying "Cannot make a connection to the database" 

The error in the apache log is as follows:

[Sun Aug 03 02:27:59.418655 2025] [php:notice] [pid 176919] [client 71.244.230.195:62660] Database Connection Failed: SQLSTATE[HY000] [2006] MySQL server has gone away

The error in mysql log is as follws:

2025-08-03  2:27:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: 'web2.dataguy2020.com' (This connection closed normally without authentication)

I have created a .env file that has information as follows:

APP
APP_NAME=MyApp
APP_ENV=dev
COMMUNITY_NAME="Community Name"
CONTACT_EMAIL="[email protected]"
CONTACT_PHONE="555-555-5555"

#Database
DB_HOST="domain.to.sqlhost.com"
DB_PORT=3306
DB_NAME="databseName"
DB_USER="username"
DB_PASS="password"

#Database Connection Certs
DB_CA="/path/to/cacert.pem"
DB_CERT="/path/to/cert.pem"
DB_CERT_KEY="/path/to/key.pem"

My classes/Database class is as follows:

<?php
require __DIR__ . "/../vendor/autoload.php";
use Dotenv\Dotenv;
class Database {
    private PDO $pdo;
    public function __construct() {
        $parentDirectory = dirname(__DIR__);
        $dotenv = Dotenv::createImmutable($parentDirectory, '.env');
        $dotenv->load();

//      echo "<pre>"; // Use <pre> for formatted output in a browser
//foreach ($_ENV as $key => $value) {
//    echo "$key = $value\n";
//}
//echo "</pre>";


        $dbHost = $_ENV['DB_HOST'];
        $dbName = $_ENV['DB_NAME'];
        $dbUser = $_ENV['DB_USER'];
        $dbPass = $_ENV['DB_PASS'];
        $dbca = $_ENV['DB_CA'];
        $dbcert = $_ENV['DB_CERT'];
        $dbkey = $_ENV['DB_CERT_KEY'];
        $dsn = "mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4";

        $options = [
            PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
//            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
            PDO::ATTR_EMULATE_PREPARES   => false,

            // SSL/TLS options
            PDO::MYSQL_ATTR_SSL_CA       => $dbca, // Path to CA certificate
            PDO::MYSQL_ATTR_SSL_CERT     => $dbcert, // Path to client certificate (if required)
            PDO::MYSQL_ATTR_SSL_KEY      => $dbkey, // Path to client key (if required)
            PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false // Verify server's SSL certificate
        ];

        try {
            $this->pdo = new PDO($dsn, $dbUser, $dbPass, $options);
            //$this->pdo = new PDO($dsn, $this->username, $this->password, $options);
            $this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $this->pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
        }
        catch(PDOException $e) {
            //Handle connection errors
            error_log("Database Connection Failed: " . $e->getMessage());
            die("Could not connect to the database.");
        } //end of catch

    } //end of function
    public function getConnection():
    PDO {
        return $this->pdo;
    }
} //end of class

At the bottom of my index.php I have the following as I am using this as a test

<?php
    include_once ('classes/Database.php');
    $db = new Database();
    $pdo = $db->getConnection();
    if ($pdo) {
        echo "Database Connection was successful";
    } else {
        echo "Database Connection has failed";
    }
?>

What shows up in the browser is "Database Connection has failed"

In /etc/mysql/mariadb.conf.d I have configured both the server the client. They are both using the same certificates as they are connection from the same server for now. I am looking at expanding the number of database hosts. 

The 50-client.conf has the following information

[client]
# Example of client certificate usage
ssl-cert = /path/to/cacert.pem
ssl-key  = /path/to/key.pem
ssl_cert = /path/to/cert.pem
ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
tls_version = TLSv1.2

The 50-server.conf contains the following information

ssl_ca = /etc/mysql/ssl/chain.pem
ssl_cert = /etc/mysql/ssl/cert.pem
ssl_key = /etc/mysql/ssl/privkey.pem
require-secure-transport = on


#ssl_cipher="DHE-RSA-AES128-GCM-SHA256:AES128-SHA"
ssl_cipher="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"
tls_version = TLSv1.2,TLSv1.3

When I attempt to run the following error I get the following error: 

 mysql -h localhost -u #username --ssl-cert=/path/to/cert.pem --ssl-key=/path/to/key.pem --ssl-ca=/path/to/cacert.pem

ERROR 2026 (HY000): TLS/SSL error: tlsv1 alert unknown ca

 

Other key things to know is that I created these certs with certbot. I am not sure if that is what is the cause of these errors or not. I am doing the following

ssl_cert = cert.pem that is generated

ssl_ca = fullchain.pem that is generated

ssl_key = privkey.pem that is generated

Any assistance would be great!

 

[TheRebellion]

I am uaing mariadb 11

[gizmola]

Right, so the error is telling you that the CA is untrusted.   Aside from that, you should not be using the same cert for the client and the server.  You need to generate a client cert for the client, and the CN's for each cert should be different.

The MySQL manual has a walk through of process:  https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html