Hi everyone,
Problem:
I’m currently facing an authentication issue when trying to connect Google Looker Studio to an Azure MySQL Server that requires SSL.
Microsoft recently announced a CA certificate rotation for Azure Database for MySQL, and I’ve been following their guidance here:
Azure Database for MySQL Flexible Server - Root Certificate Rotation
Steps taken:
-
Download the new DigiCert Global Root G2, and Microsoft RSA Root CA 2017 certs mentioned in the article.
-
Create a new data source with MySQL on Looker Studio
-
Filled out the requested information (Host name, Port, Database, Username and Password)
-
Click on ‘Enable SSL’
-
Uploading just the DigiCert G2 root cert fails to authenticate.
-
Uploading a combined cert file with all three also fails to authenticate.
For my Node.js and PHP applications, I was able to combine the three certs into a single .pem file, and the connection works perfectly.
I have uploaded my combined cert on pastebin combined-ca-certificates.pem
Question:
- Has anyone else run into this issue with Looker Studio and Azure MySQL?
- Do I need to structure the combined cert differently, or is Looker Studio not compatible with the new Azure CA setup?
Any help, tips, or confirmation from others who’ve hit this would be greatly appreciated.
Thanks!
1 Like
Looker Studio’s MySQL connector doesn’t handle chained root certificates the same way standard MySQL clients do. Even if the DigiCert G2, RSA Root 2017, and Baltimore certs are combined into a single PEM, Looker fails at the SSL handshake.
One practical fix is to run the connection through a proxy or staging layer that can handle the full CA chain. For example, some teams place a lightweight proxy (Cloud SQL Auth Proxy, HAProxy, or similar) between Looker Studio and Azure MySQL.
In our stack, BigQuery scheduled queries flow through Windsor before landing in Snowflake, which avoids connector limitations.
The issue isn’t with Azure’s certs but with Looker Studio’s limited SSL implementation. Handling the handshake upstream is usually the stable path.
The issue is fixed! After contacting Microsoft support, the issue was with the combined cert.
Here is the solution that they have provided:
-
Download the root certs
Download these three certificates (from the article mentioned):
-
Open Azure Cloud Shell (Azure CLI)
-
In the Azure portal, open Cloud Shell.
-
Select Bash, choose your subscription, and click Apply.
-
Upload the Microsoft RSA Root cert
-
In the terminal window, click Manage files → Upload.
-
Upload Microsoft RSA Root CA 2017.crt (the one you downloaded).
-
Verify upload
-
Prepare the OpenSSL command
-
Open Notepad locally and paste this base command from the article:
openssl x509 -inform der -in MicrosoftRSARootCertificateAuthority2017.crt -out MicrosoftRSARootCertificateAuthority2017.crt.pem
-
Go back to Cloud Shell, copy the file name exactly as shown by ls (including spaces).
-
Replace the MicrosoftRSARootCertificateAuthority2017.crt part with your exact filename, wrapped in single quotes.
-
Example of the final command
openssl x509 -inform der -in 'Microsoft RSA Root Certificate Authority 2017.crt' -out MicrosoftRSARootCertificateAuthority2017.crt.pem
-
Run the command in Cloud Shell
- Paste the command into the terminal and press Enter.
-
Confirm the converted file
-
Download the converted file
-
Click Manage files → Download.
-
When prompted for the download path, paste the .crt.pem filename.
-
Click the blue link at the bottom-right to start the download.
-
Open and edit the downloaded file
-
Append DigiCert Global Root G2
-
Append DigiCert Global Root CA
-
Save the combined cert
- Save the file. You can rename the combined cert if you want—ensure there are no spaces in the filename.
Result: The issue is fixed using the new combined cert.
Hope this helps for anyone having the same issue.
(I’ll mark this as the solution.)
Thanks!
