Debezium Connection Issues with MySQL SSL Enabled

Question

The Debezium connector works well with SSL disabled, following the guide here. However, upon enabling SSL with the following configuration:

      "database.ssl": "true",
      "database.ssl.mode": "required",
      "driver.encrypt": "true",
      "driver.trustServerCertificate": "true"

An error occurs:

2025-02-03 21:48:10 com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure
2025-02-03 21:48:10 The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
2025-02-03 21:48:10 at com.mysql.cj.jdbc.exceptions.SQLError.createCommunicationsException(SQLError.java:174)
2025-02-03 21:48:10 at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:64)
2025-02-03 21:48:10 at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:815)
2025-02-03 21:48:10 ... 2025-02-03 21:48:10 Caused by: java.security.cert.SSLHandshakeException: Certificates do not conform to algorithm constraints
2025-02-03 21:48:10 at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
2025-02-03 21:48:10 ...

The detailed error indicates:

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA

Are there any additional steps that might be needed to resolve this issue?

Answer 1

Hi @Sid,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.

Issue:

The Debezium connector works well with SSL disabled, following the guide here. However, upon enabling SSL with the following configuration:

RubyCopy

      "database.ssl": "true",
      "database.ssl.mode": "required",
      "driver.encrypt": "true",
      "driver.trustServerCertificate": "true"

The detailed error indicates:

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA

Are there any additional steps that might be needed to resolve this issue?

Solution:

I fixed this issue by adding these two lines in my dockerfile. It replaces SHA1 from disabledAlgorithms in two files.

RUN sed -i 's/, SHA1//' /etc/crypto-policies/back-ends/java.config
RUN JAVA_SECURITY_PATH=$(find /etc/java -name "java.security" 2>/dev/null) && \
    sed -i 's/\(jdk.certpath.disabledAlgorithms=.*\), SHA1/\1/' "$JAVA_SECURITY_PATH"

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

---

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members

Answer 2

I fixed this issue by adding these two lines in my dockerfile. It replaces SHA1 from disabledAlgorithms in two files.

RUN sed -i 's/, SHA1//' /etc/crypto-policies/back-ends/java.config

RUN JAVA_SECURITY_PATH=$(find /etc/java -name "java.security" 2>/dev/null) && \
    sed -i 's/\(jdk.certpath.disabledAlgorithms=.*\), SHA1/\1/' "$JAVA_SECURITY_PATH"