Azure MySQL SSL Authentication Error with Google Looker Studio

Looker Q&A Looker Studio
, , ,
1

Hi everyone,

Problem:

I’m currently facing an authentication issue when trying to connect Google Looker Studio to an Azure MySQL Server that requires SSL.

google looker studio
google looker studio457×624 38.5 KB

failed to authenticate
failed to authenticate898×277 20.6 KB

Microsoft recently announced a CA certificate rotation for Azure Database for MySQL, and I’ve been following their guidance here:
Azure Database for MySQL Flexible Server - Root Certificate Rotation

Steps taken:

  • Download the new DigiCert Global Root G2, and Microsoft RSA Root CA 2017 certs mentioned in the article.

  • Create a new data source with MySQL on Looker Studio

  • Filled out the requested information (Host name, Port, Database, Username and Password)

  • Click on ‘Enable SSL’

  • Uploading just the DigiCert G2 root cert fails to authenticate.

  • Uploading a combined cert file with all three also fails to authenticate.

For my Node.js and PHP applications, I was able to combine the three certs into a single .pem file, and the connection works perfectly.

I have uploaded my combined cert on pastebin combined-ca-certificates.pem

Question:

  • Has anyone else run into this issue with Looker Studio and Azure MySQL?
  • Do I need to structure the combined cert differently, or is Looker Studio not compatible with the new Azure CA setup?

Any help, tips, or confirmation from others who’ve hit this would be greatly appreciated.

Thanks!

1 Like
2

Looker Studio’s MySQL connector doesn’t handle chained root certificates the same way standard MySQL clients do. Even if the DigiCert G2, RSA Root 2017, and Baltimore certs are combined into a single PEM, Looker fails at the SSL handshake.

One practical fix is to run the connection through a proxy or staging layer that can handle the full CA chain. For example, some teams place a lightweight proxy (Cloud SQL Auth Proxy, HAProxy, or similar) between Looker Studio and Azure MySQL.

In our stack, BigQuery scheduled queries flow through Windsor before landing in Snowflake, which avoids connector limitations.

The issue isn’t with Azure’s certs but with Looker Studio’s limited SSL implementation. Handling the handshake upstream is usually the stable path.

3

The issue is fixed! After contacting Microsoft support, the issue was with the combined cert.

Here is the solution that they have provided:

  1. Download the root certs
    Download these three certificates (from the article mentioned):

    • DigiCert Global Root CA

    • DigiCert Global Root G2

    • Microsoft RSA Root CA 2017

  2. Open Azure Cloud Shell (Azure CLI)

    • In the Azure portal, open Cloud Shell.

    • Select Bash, choose your subscription, and click Apply.

  3. Upload the Microsoft RSA Root cert

    • In the terminal window, click Manage filesUpload.

    • Upload Microsoft RSA Root CA 2017.crt (the one you downloaded).

  4. Verify upload

    • Run: ls

    • Confirm the file is present (you’ll need the exact filename).

  5. Prepare the OpenSSL command

    • Open Notepad locally and paste this base command from the article:

      openssl x509 -inform der -in MicrosoftRSARootCertificateAuthority2017.crt -out MicrosoftRSARootCertificateAuthority2017.crt.pem

    • Go back to Cloud Shell, copy the file name exactly as shown by ls (including spaces).

    • Replace the MicrosoftRSARootCertificateAuthority2017.crt part with your exact filename, wrapped in single quotes.

  6. Example of the final command

    openssl x509 -inform der -in 'Microsoft RSA Root Certificate Authority 2017.crt' -out MicrosoftRSARootCertificateAuthority2017.crt.pem

  7. Run the command in Cloud Shell

    • Paste the command into the terminal and press Enter.

  8. Confirm the converted file

    • Run: ls

    • You should see the new .crt.pem file.

  9. Download the converted file

    • Click Manage filesDownload.

    • When prompted for the download path, paste the .crt.pem filename.

    • Click the blue link at the bottom-right to start the download.

  10. Open and edit the downloaded file

    • Open the .crt.pem file.

    • At the end of the file, press Enter to add a new line.

  11. Append DigiCert Global Root G2

    • Open the DigiCert Global Root G2 file you downloaded.

    • Copy all contents and paste them at the new line in the .crt.pem file.

  12. Append DigiCert Global Root CA

    • Open the DigiCert Global Root CA file.

    • Copy all contents and paste them after the previous block (start on a new line).

  13. Save the combined cert

    • Save the file. You can rename the combined cert if you want—ensure there are no spaces in the filename.

Result: The issue is fixed using the new combined cert.

Hope this helps for anyone having the same issue.
(I’ll mark this as the solution.)
Thanks!

4

Hi thanks for all your information.

Do I understand it right, that I cannot use your or any other pre-generated PEM file, but need to build my own?

5

Yeah, you will need to generate your own PEM file for it to work. I will remove my combined cert to avoid the confusion.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.