How do I connect with an SSL between MySQL, and PHP?

Question

I am in the process of testing connecting to a MySQL server via SSL. I can connect using the CLI mysql client over SSL with no issues. However, when trying to connect through PHP (using the same username/hostname/password/certs), I receive this error message:

PHP Warning: PDO::__construct(): SSL operation failed with code 1.
OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/username/mysql.php on line 7
PHP Warning: PDO::__construct(): Cannot connect to MySQL by using SSL in /home/username/mysql.php on line 7
PHP Warning: PDO::__construct(): [2002] (trying to connect via tcp://db.server.net:3306) in /home/username/mysql.php on line 7
PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2002] ' in /home/username/mysql.php:7

However, the certs shouldn't be invalid since using them to connect via the command-line client works, right? Is there something going on under the hood in PHP/openssl that could be causing this issue?

This is the script that I'm using for testing (with connection information masked) and everything that I've found on Google/elsewhere has told me that this should work:

<?php

$db = new PDO("mysql:dbname=database_name;host=db.server.net", "user_name", "some_password", [
    PDO::MYSQL_ATTR_SSL_CERT => "/etc/pki/tls/mysql/remote_client-cert.pem",
    PDO::MYSQL_ATTR_SSL_KEY => "/etc/pki/tls/mysql/remote_client-key.pem",
    PDO::MYSQL_ATTR_SSL_CA => "/etc/pki/tls/mysql/remote_ca-cert.pem",
]);

Answer 1

Our sysadmin managed to figure out the issue.

It seems that when connecting via the MySQL client, the CA isn't checked, so self-signed certs or (in this case) certs with invalid CA certs can still connect.

PHP, on the other hand, does check the CA when connecting to MySQL through SSL. It turns out that our CA cert file on the client machine didn't have the correct information for our cert, so PHP was unhappy, but the MySQL client was fine.