MySQL is not using my certificate, uses its own self-signed

I have tried to find an answer to this and I have come up empty.

I have a certificate from LetsEncrypt that I use for all my SSL needs. It is valid for all the DNS names that I am trying to use. Today I tried to get it working for MySQL, but MySQL insists on using its own self-signed cert.

MySQL version is 8.0.26-0ubuntu0.20.04.2 from Ubuntu packages.

I have created /etc/mysql/mysql.conf.d/zz-ssl.conf with these contents:

[mysqld]
ssl-ca=/etc/ssl/certs/local/mainchain.pem
ssl-cert=/etc/mysql/cert.pem
ssl-key=/etc/mysql/cert.pem
[system_default_sect]
MinProtocol = TLSv1.2

But the log says this:

2021-08-08T16:16:57.982003Z 0 [Warning] [MY-013746] [Server] A deprecated TLS version TLSv1 is enabled for channel mysql_main
2021-08-08T16:16:57.982227Z 0 [Warning] [MY-013746] [Server] A deprecated TLS version TLSv1.1 is enabled for channel mysql_main
2021-08-08T16:16:57.983344Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.

I tried deleting /var/lib/mysql/*.pem ... but when I restart mysql, all those files come back with updated timestamps. MySQL seems determined to use its own self-signed certificate and not the one I have configured. I figure I am missing something that should be obvious but isn't.

The file /etc/mysql/cert.pem referenced in my config is owned by mysql:mysql and has 0600 permissions. It is a copy of the certificate file I use for everything else, it contains the server cert, the private key, and the LetsEncrypt issuing cert.

I finally figured this out. The config files must have a .cnf file extension or mysql ignores them. And once I fixed that, I had a permission problem -- I had split the cert file into three separate files, but the other two files were owned by root:root. Once I fixed that, everything worked.