OpenSSL recently changed the default behaviour for key generation. The command openssl req -newkey rsa:2048 used to generate RSA keys in the PKCS #1 format. In these format the key starts with -----BEGIN RSA PRIVATE KEY-----.
The new behaviour is to generate RSA keys in the PKCS #8 format. Now the key file starts with -----BEGIN PRIVATE KEY-----.
If you try to load the new key format into MySQL you will get the error:
SSL error: Unable to get private key fromAdding RSA into the key preamble removes the error message but does not solves the problem nor change the key format. This will lead to the error:
ERROR 2026 (HY000): SSL connection error: protocol version mismatchTo get the key working with MySQL it is necessary to convert the format. This can be done with:
openssl rsa -in key.pem -out key.pem[UPDATE] If the key is in the correct format and the error persists check the file permissions. The key must be readable by the mysql user, usually mysql. The simpest way is the change the ownership to mysql:mysql.
[1] http://askubuntu.com/questions/194074/enabling-ssl-in-mysql
I my case, the owner of server-key.pem was root and not mysql.
Martin, thanks for the information. I will update the post.