MySQL (client) commands in shell scripts fail with ERROR 2026 (HY000): TLS/SSL error: SSL is required

Written by - 0 comments

Published on - Listed in MariaDB MySQL Databases Linux Shell Bash Coding

After I recently upgraded a Debian machine from 12 (Bookworm) to 13 (Trixie), a couple of automated scripts stopped running. The distribution upgrade also upgraded the mariadb-client package to version 11.8 - and a new default seems to be active.

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

The Bash script in question uses the mysql command to retrieve some data from a MariaDB database. A manual run on the command line query quickly showed the error:

ck@trixie:~$ source .config/dbconfig.env 
ck@trixie:~$ QUERY="SELECT id FROM db.table WHERE status='something';"
ck@trixie:~$ mysql -u ${MYSQL_USER} --batch --skip-column-names -e "$QUERY"
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

This has definitely worked prior to the distribution upgrade. A quick look into mysql --help shows what has changed:

ck@trixie:~$ mysql --help
mysql from 11.8.3-MariaDB, client 15.2 for debian-linux-gnu (x86_64) using  EditLine wrapper
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Usage: mysql [OPTIONS] [database]
[...]
  --ssl     Enable SSL for connection (automatically enabled with  other flags).
            (Defaults to on; use --skip-ssl to disable.)
[...]

The --ssl option is now used by default when using the mysql cli. 

Use --skip-ssl in cli or cnf config

As the --help output shows, one fix is to use --skip-ssl option. This seems to work and the query returns the result of the query:

ck@trixie:~$ mysql --skip-ssl -u ${MYSQL_USER} --batch --skip-column-names -e "$QUERY"
2994

But instead of changing the Bash script and append each mysql command, the skip-ssl option can also be defined in a config (cnf) file:

ck@trixie:~$ cat ~/.my.cnf
[client]
skip-ssl = true

Note: It's important to define ~/.my.cnf configuration file under the $HOME directory of the user which executes the script.

This way, the ~/.my.cnf is read at the beginning of launching the mysql command and the configuration options are respected by the cli command. It's therefore not needed to add --skip-ssl in the command itself:

ck@trixie:~$ mysql -u ${MYSQL_USER} --batch --skip-column-names -e "$QUERY"
2

The Bash script now runs again, without a change inside the Bash script itself.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Observability   Office   OpenSearch   PHP   Perl   Personal   PostgreSQL   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder