Can I use openssl s_client to retrieve the CA certificate for MySQL?

Question

Can I use openssl s_client to retrieve the CA certificate for MySQL?

I have access to the remote database server using the following

mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase

Now I want to connect to it using JDBC.

I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.

I've tried

openssl s_client -cipher DHE-RSA-AES256-SHA  -connect thehost:3306

and some variations. I always get errors. For example

CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

Answer 1

Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.

openssl s_client -starttls mysql -connect thehost:3306

Source: answer by Paul Tobias