Description:
MySQL Connector/J fails to connect to MySQL server when the server's cert chain contains a cross-sign CA cert. Such cert chain is normal since this is the default cert chain generated by Let's Encrypt. Currently, and before 2024, Let's Encrypt generate a default cert chain like:

leaf cert -> ISRG R3(intermediate cert) -> ISRG X1(CA) -> DST ROOT X3(legacy CA)

ISRG X1 is a CA cert and exist in most modern platforms, of course, Java8. DST ROOT X3 is the legacy CA cert and it already expires and removed from most platforms.

You can see why this happens in https://letsencrypt.org/2020/12/21/extending-android-compatibility.html.

Currently, if the MySQL server provides such a chain, Connect/J is not able to connect and throws message like `unable to find trust anchor`. But other clients, drivers from other languages could successfully connect. And browsers will treat websites use such cert chains secure.

How to repeat:
Setup a MySQL Server using a cert chain described above and try to establish a TLS connection with `VERIFY_CA` or `VERIFY_IDENTITY`.

Suggested fix:
Act just like other clients. And seems the JDK already handles it well: https://github.com/openjdk/jdk/blob/4cec141a90bc5d3b8ec17c024291d9c74a112cd4/src/java.base...

Hello Xiang Zhang,

Thank you for the bug report.
Please upgrade to latest version and report us back if issue persist even in latest version along with test case. Thank you.

Regards,
Ashwini Patil

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".