The problem in more detail is that when the server hostname is listed as
a SubjectAltName ("SAN") in the certificate, then validation fails.
Validation only succeeds if the server hostname is in the CN of the
certificate.This seems likely to be a bug in the underlying mariadb library. I was unable to find an exact bug report for this, but I did find two similar ones: Bug for mysql, not mariadb: https://bugs.mysql.com/bug.php?id=68052 Supposedly fixed in mariadb 10.1.23, but I am seeing problems in 10.1.29: https://jira.mariadb.org/browse/MDEV-10594 I was able to reproduce the problem with the command-line mysql client as provided by mariadb-client-core-10.1: $ mysql exampledb -h example.com --ssl-verify-server-cert=true --ssl \ --ssl-ca /tmp/ca_cert.pem ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure This problem goes away when I upgrade to mariadb-client-core-10.3 from experimental. Unfortunately, I was unable to do that for libdbd-mysql-perl, since that requires libmariadbclient18, which is apparently not provided for mariadb 10.3 in experimental. $ ldd /usr/lib/x86_64-linux-gnu/perl5/5.26/auto/DBD/mysql/mysql.so linux-vdso.so.1 (0x00007ffd9e9f7000) libmariadbclient.so.18 => /usr/lib/x86_64-linux-gnu/libmariadbclient.so.18 (0x00007f6bb6452000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6bb6431000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6bb6213000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6bb607f000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6bb607a000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6bb5ebd000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6bb5d38000) /lib64/ld-linux-x86-64.so.2 (0x00007f6bb6c7b000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f6bb5d1e000) Thanks, Corey
