Mysql – Can’t connect to thesql via command line, self signed certificate in certificate chain

I have mariadb set up on my ubunutu 18.04 lts system.

I had a backup script working without a problem, but somewhere in updates it stopped working, but I didn't notice at first, because who watches backups when they've worked reliably for ages.

But now I've noticed that backups have stopped working, and when I try to emulate the start of the backup command I get the error:

ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain

using the command I've used without problem previously, suddenly gives an error.

$ mysql -u root -p################################ -N -e 'show databases'
ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain`

Even if I do a simply login I get the same error

$ mysql -u root -p
Enter password:
ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain

For a few months ago I didn't have any issues with running mysql on the server via command line. Somewhere updates must have changed this, but I don't know what changed it.

I really can't execute any meaningful command with mysql without it balking about the certificate chain.

My version:

$ mysql -V
mysql  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

When I connect from my work machine to the server with the certificate that's installed I have no issues connecting to the database. So the certificate works for the mysql server. It seems to be a pure command line mysql issue.

I've updated everything in apt-get and apt, there are 0 updates available.

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar  3 16:20:40 GMT 2020

  System load:  0.89             Processes:           209
  Usage of /:   5.5% of 3.58TB   Users logged in:     0
  Memory usage: 12%              IP address for eth0: ###.###.###.###
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

The /etc/mysql/my.cnf

# MariaDB-specific config file.
# Read by /etc/mysql/my.cnf

[client]
# Default is Latin1, if you need UTF-8 set this (also in server section)
#default-character-set = utf8
#ojiaergoijboij = halksjd
#nduks =- ksjdfljsd

[mysql]
ssl-ca=/etc/mysql/ssl/ca.pem
#ssl-cert=/etc/mysql/ssl/client-cert.pem
#ssl-key=/etc/mysql/ssl/client-key.pem


[mysqld]
#
# * Character sets
#
# Default is Latin1, if you need UTF-8 set all this (also in client section)
#
#character-set-server  = utf8
#collation-server      = utf8_general_ci
#character_set_server   = utf8
#collation_server       = utf8_general_ci
# Import all .cnf files from configuration directory
!includedir /etc/mysql/mariadb.conf.d/
innodb_flush_log_at_trx_commit=2
innodb_file_per_table=1
innodb_buffer_pool_size=8G
thread_cache_size=10
skip-name-resolve
#query_cache_type=1
#query_cache_limit=256k
#query_cache_min_res_unit=2k
#query_cache_size=80M
tmp_table_size=256M
max_heap_table_size=256M
query_cache_size=0
query_cache_type=0

ssl
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

When I verify the certificates they come out ok.

openssl verify -CAfile /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/server-cert.pem /etc/mysql/ssl/client-cert.pem
/etc/mysql/ssl/server-cert.pem: OK
/etc/mysql/ssl/client-cert.pem: OK

You have new mail in /var/mail/root

Is this something that I can solve with a mysql flag? Or is this something I need to solve in an openSSL settings?

I've tried googling, but the closest to the symptoms I could find was a question from 2012.