The client cannot find or load the server’s RSA public key file during the connection handshake, so authentication fails.
MySQL Error 64: EE_FAILED_TO_LOCATE_SERVER_PUBLIC_KEY occurs when the client cannot load the server’s RSA public key needed for SHA-256 password authentication. Copy the server’s public key locally and supply it with --server-public-key-path or the rsa-public-key option to resolve the issue.
Failed to locate server public key '%s'. EE_FAILED_TO_LOCATE_SERVER_PUBLIC_KEY was added in 8.0.13.
MySQL raises Error 64 – EE_FAILED_TO_LOCATE_SERVER_PUBLIC_KEY – when a client using the caching_sha2_password or sha256_password plugin cannot obtain the server’s RSA public key during the TLS handshake.
Because the key is required to encrypt the password over unsecured connections, the authentication exchange halts and the server terminates the session.
The client does not have a local copy of the server’s public key and SSL is not fully enabled, so the automatic key request fails.
The --get-server-public-key option is disabled, the key path is wrong, or file permissions prevent access to the .pem file.
Copy the public key file (public_key.pem by default) from the server to the client host and reference it with the --server-public-key-path or rsa-public-key client option.
Alternatively enable --get-server-public-key so the client retrieves the key automatically if the connection is secured by TLS.
On headless servers, the key file may be missing after an upgrade to MySQL 8.0.13+.
Re-deploy the key and restart the client.
In Docker containers, mount the key file through a volume and pass the absolute path in the MYSQL_OPTS environment variable.
Always distribute a current server RSA key to application hosts through your configuration management tool.
Prefer full TLS connections so the key exchange happens automatically, reducing manual file handling.
Error 2061 (HY000) – Authentication plugin 'caching_sha2_password' reported error: invalid key – indicates the public key exists but is corrupted; replace the key file.
Error 1045 (28000) – Access denied for user – shows after Error 64 if the client retries without the key; supply the correct key or switch authentication plugins.
.
No. If you connect over TLS and enable --get-server-public-key, the client retrieves the key automatically, so you do not have to copy it.
Place public_key.pem in %APPDATA%\MySQL or supply an absolute path with --server-public-key-path.
Yes, but it is less secure. Change the user plugin: ALTER USER 'app'@'%' IDENTIFIED WITH mysql_native_password BY 'secret'; then flush privileges.
Galaxy’s connection manager flags missing key files before running queries and suggests the correct --server-public-key-path, preventing runtime failures.
.avif)
.avif){kind=logo}
