[#MDEV-13102] “SSL certificate validation failure” when verifying wildcard server certificate

I've been trying to move from using a self-signed certificate to using a wildcard certificate from a well-known CA to reduce maintenance overhead and improve security. The certificate has already been in use for months on test servers. The setup is working well enough that I can do the following (domain name anonymised):

mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl

$ mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl --ssl-verify-server-cert

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSL=yes

mysql_real_connect: info: Connecting

mysql_real_connect: info: net->vio: 0x0  protocol: 0

mysql_real_connect: info: Server name: 'host.example-dot-com-equivalent-for.co.uk'.  TCP sock: 3306

mysql_real_connect: info: IP 'client'

mysql_real_connect: info: IPV6 getaddrinfo host.example-dot-com-equivalent-for.co.uk

mysql_real_connect: info: Try connect on all addresses for host.

mysql_real_connect: info: Create socket, family: 2  type: 1  proto: 6

mysql_real_connect: info: Connect socket

mysql_real_connect: info: End of connect attempts, sock: 4  status: 0  error: 0

mysql_real_connect: info: net->vio: 0x263c540

mysql_real_connect: info: Read first packet.

mysql_real_connect: info: mysql protocol version 10, server=10

get_charsets_dir: info: charsets dir: '/usr/local/mysql/share/charsets/'

my_stat: error: Got errno: 2 from stat

run_plugin_auth: info: using plugin mysql_native_password

native_password_auth_client: info: no password

native_password_auth_client: info: IO layer change in progress...

ssl_do: info: ssl: 0x2823e50 timeout: 0

ssl_do: info: SSL connection succeeded

ssl_do: info: Using cipher: 'AES256-GCM-SHA384'

ssl_do: info: Peer certificate:

ssl_do: info: 	 subject: '/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.example-dot-com-equivalent-for.co.uk'

ssl_do: info: 	 issuer: '/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2'

ssl_do: info: no shared ciphers!

native_password_auth_client: info: IO layer change done!

ssl_verify_server_cert: info: Server hostname in cert: *.example-dot-com-equivalent-for.co.uk

run_plugin_auth: info: authenticate_user returned CR_ERROR

run_plugin_auth: info: res=0

mysql_real_connect: error: message: 2026/HY000 (SSL connection error: SSL certificate validation failure)

end_server: info: Net:

main: info: Shutting down: infoflag: 3  print_info: 1

The certificate is valid for the given hostname and is not expired, as verified by `openssl s_client -connect host.example-dot-com-equivalent-for.co.uk:443 -verify_return_error < /dev/null`. The "X509v3 Subject Alternative Name" field contains "DNS:*.example-dot-com-equivalent-for.co.uk, DNS:example-dot-com-equivalent-for.co.uk"

The whole certificate chain is in the file pointed to by the server's `ssl-cert` configuration, as recommended elsewhere. "USERTrust RSA Certification Authority" is in the client's /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt. I tried adding `--ssl-ca=/etc/pki/tls/certs/ca-bundle.crt` to the command, but that didn't change anything.

The question ends up being: *Do MySQL/MariaDB clients support wildcard certificates? If they do, is something wrong with my connection?*

[MDEV-13102] “SSL certificate validation failure” when verifying wildcard server certificate Created: 2017-06-15 Updated: 2017-06-15 Resolved: 2017-06-15
Status:	Closed
Project:	MariaDB Server
Component/s:	SSL
Affects Version/s:	5.5.52
Fix Version/s:	10.1.23

[MDEV-13102] “SSL certificate validation failure” when verifying wildcard server certificate Created: 2017-06-15 Updated: 2017-06-15 Resolved: 2017-06-15