"Self-signed certificate in certificate chain" error when connecting with Azure MySQL #359
Description
Issue
Trying to run a docker instance for Ghost 5.25.5 with an Azure MySQL 8 backend results in the container starting up but subsequently quitting with an error Self-signed certificate in certificate chain when using a certificate to connect to the backend. The certificate I think it is complaining about is SSL certificate I downloaded from the Azure portal for connecting to the SQL server instance.
How to repro
You can run the below command with the MY* content replaced appropriately with details you get from an Azure MySQL flexible server instance
docker run -it --rm -e url=http://MY.URL.COM -e database__client=mysql -e database__connection__host=MY_HOST.mysql.database.azure.com -e database__connection__user=MY_USERNAME -e database__connection__password=MY_PASSWORD -e database__connection__database=ghost -e database__connection__ssl__ca='-----BEGIN CERTIFICATE-----truncated-----END CERTIFICATE-----' -e NODE_ENV=production -p 2368:2368 ghost:5.25.5-alpineOutput
[2022-12-18 07:24:40] INFO Ghost is running in production...
[2022-12-18 07:24:40] INFO Your site is now available on http://MY.URL.COM/
[2022-12-18 07:24:40] INFO Ctrl+C to shut down
[2022-12-18 07:24:40] INFO Ghost server started in 0.359s
[2022-12-18 07:24:41] ERROR self signed certificate in certificate chain
self signed certificate in certificate chain
"Unknown database error"
Error ID:
500
Error Code:
HANDSHAKE_SSL_ERROR
----------------------------------------
Error: self signed certificate in certificate chain
at /var/lib/ghost/versions/5.25.5/node_modules/knex-migrator/lib/database.js:57:19
at TLSSocket.<anonymous> (/var/lib/ghost/versions/5.25.5/node_modules/mysql2/lib/connection.js:357:54)
at TLSSocket.emit (node:events:513:28)
at TLSSocket._finishInit (node:_tls_wrap:953:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12)
[2022-12-18 07:24:41] WARN Ghost is shutting down
[2022-12-18 07:24:41] WARN Ghost has shut down
[2022-12-18 07:24:41] WARN Your site is now offline
[2022-12-18 07:24:41] WARN Ghost was running for a few secondsPossible resolutions (though I haven't been able to figure out how to do them correctly)
- Add the certificate to a trusted list somewhere so that it no longer shows up as a self-signed certificate (I trust the certificate itself).
- Unfortunately, even following guides to install the certificate in the Debian version of the image, Ghost doesn't pick up the change (This is the guide I used to install the certificate)
- Certificate has issues (bad download, wrong format, etc...)
- I have download the certificate twice and both times, the outcome has been the same.
- Format also seems to be as expected since its a cer.pem download and removing the "pem" extension allowed the certificate installer to read the details of the certificate.