Summary: Install the CA root cert using Keychain Access and set its TLS trust settings to “always trust.”

Working with a new Vapor 4 project (based off the user auth example), I ran into an issue:

…UserRepositoryTests.swift:13: failed: caught error: "handshakeFailed(NIOSSL.BoringSSLError.sslError([Error: 268435581 error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED]))"

I was attempting to connect to a MySQL instance at Digital Ocean, which uses TLS to secure connections to their DB. After some research, I realized that my client code wasn’t trusting the DB’s certificate, and I had noticed that Digital Ocean provides a download for their root cert:

Digital Ocean Database Overview

The trick to get it working is to install that root cert and trust it on the client computer. Instructions for Linux abound, but I had a bit of a harder time on macOS.

You should be able to double-click the downloaded CA root cert in the Finder, and then locate it in Keychain Access. This one had a cryptic name that looked like a UUID (“3964cf4f-xxxx-xxxx-xxxx-xxxxxx42ec85 Project CA”). Get Info on that, and set “Secure Sockets Layer (SSL)” to “Always Trust.”

Keychain Access Certificate Info

Then, and this part is crucial, close the Info window. macOS will prompt you for your administrator password, and then the new settings will be available. TLS connections to the DB after that should succeed.