Why MySQL “Public Key Retrieval is not allowed” Happens and How to Fix It

The author’s team frequently encountered an intermittent MySQL error “Public Key Retrieval is not allowed” while using various connection methods (JDBC, JDBCTemplate, C3P0, Druid) on a MySQL 8.0.18 Group Replication cluster deployed on virtual machines.

Background

The error appears sporadically, without a clear pattern, and occurs regardless of the higher‑level data‑source library because the underlying JDBC driver ultimately fails to establish a Connection.

Test Environment

MySQL version: 8.0.18 with Group Replication (MGR). The hardware configuration of the VMs and the software versions of JDBC, Spring, C3P0, Druid are listed in accompanying tables (omitted here for brevity).

Error Presentation

When using JDBC, C3P0, or Druid, the stack trace shows the same exception during Connection creation. Screenshots of the Java stack traces are provided for each case.

Root Cause Analysis

The error is tied to MySQL authentication plugins sha256_password and caching_sha2_password, which are default in MySQL 8.0. If SSL/TLS is disabled, the client must retrieve the server’s public key to encrypt the password. By default the client does not request the key, leading to the exception.

Key points from the official MySQL documentation:

Check whether the client disables SSL/TLS.

If SSL/TLS is enabled, the authentication exchange is encrypted and no extra steps are needed.

If SSL/TLS is disabled, the password is sent in clear text; the plugin then attempts RSA encryption using the server’s public key, which fails unless the client can obtain the key.

The mysql_native_password plugin does not exhibit this problem.

Solution

To resolve the error, choose one of the following:

Do not disable SSL/TLS (avoid --ssl-mode=disabled or useSSL=false).

If SSL/TLS must be disabled, create a login cache by connecting once with the CLI client.

Allow the client to retrieve the server’s public key:

Add allowPublicKeyRetrieval=true to the JDBC URL.

Use --get-server-public-key when connecting via CLI.

Specify a local public‑key file with --server-public-key-path=FILE.

These steps eliminate the “Public Key Retrieval is not allowed” exception and ensure stable connections across all tested data‑source implementations.