MySQL+SSL: "Error: unable to get local issuer certificate"

We are trying to connect to a PlanetScale MySQL database over SSL. They use SSL certificates that are signed by commonly available root certificates, so we should be able to verify the certificates without needing to trust them. We want to avoid trusting self-signed certificates since that opens up a man-in-the-middle attack vulnerability. However, when we attempt to connect with SSL enabled, we get this error: "Error: unable to get local issuer certificate"

Is Retool providing a certificate bundle? How can we connect over SSL using the OS-provided root certificates to guarantee trust?


In case it's helpful, PlanetScale's connection docs are here: Connecting to PlanetScale securely - Documentation - PlanetScale

(It's pretty standard MySQL+SSL configuration.)

Hi @ptr :wave: thanks for reaching out with this!

After looking into this more, I've been able to successfully connect to my own PlanetScale database instance by checking the Allow self-signed certificates option (not the Use a self-signed certificate option) on the resource setup page; my working configuration looks like this:

Just to further confirm: would this particular approach suit your use case? Or are there strict security policies within your environment that would prohibit you from enabling this setting in particular?

Unfortunately, no. As I understand, this disables certificate chain checking. In order to connect Retool to our production database, we need to verify the certificate chain. With our other tools, we're either able to specify the cacert path or it's configured by default. It seems Retool doesn't provide any root certificates to its MySQL client so we have no way of verifying validity.

For example, from the command line, this is the type of configuration we'd need. This seems like basic security Retool could offer using the certificate bundle that ships on whatever app server platform you're using, I'd hope. :pray:

mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/ssl/certs/ca-certificates.crt

Hi, I'm currently investigating if we can start using retool and not being able to establish a secure connection between our PlanetScale database and Retool would be a blocker.

Are there any updates on this? @luke-phillippi do you know if what Ptr suggested in his last post is something that's on the roadmap?

Hi there,
Just checking if theres any update on this one?

I notice the 'allow self-signed certificates' option isn't even visible any more so there is no workaround here.

Many thanks,

Hey @yka! Happy to help here. Are you running into any specific errors? Would you mind sharing a screenshot of your current resource setup page (feel free to redact any secrets)? Thank you!

Hi @victoria , thanks for the response :slight_smile:

I'm getting an 'unagle to get local issuer certificate error, even though when i connected locally using TablePlus it works fine.

The solution above suggested selecting 'Use a self-signed certificate', but I don't see that option.

You can see Retool's docs here: Connect any application to PlanetScale — PlanetScale Documentation

Thanks, Y

Of course!

Hmm, quick question! It looks like you have “Connect using SSL” but you didn’t provide any certificates (certs). Do you see the same error if you uncheck that SSL box?