![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 92%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Thank you for reaching out to Microsoft QA.
We understand you're experiencing difficulties connecting your OpenVPN Access Server on Ubuntu to your Azure MySQL Flexible Server following the recent certificate rotation. The error you're encountering — ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed — typically points to an issue with the SSL/TLS configuration, particularly around certificate verification paths.
This issue is common after Azure MySQL Flexible Server certificate rotations, which now require three certificates during the transition period:
- DigiCert Global Root CA (SHA-1) – still in use until full rotation.
- DigiCert Global Root G2 (SHA-256)
- Microsoft RSA Root Certificate Authority 2017
If your CA bundle only includes the two new certificates, it will fail until the full rotation completes.
Kindly refer the below official document to mitigate the issue -
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl
Thanks,
Vrishabh