MySQL certificate verification changes due to Alpine 3.21
Overview
Alpine 3.21 and above have changed the default mysql client to the mariadb client. As part of this change, the client now verifies the connection certificates by default.
When deploying to a preview environment or on a local development environment (depending on your configuration) mysql server is signed with a self-signed certificate causing the connection to fail. This change does not affect Skpr cluster environments.
Solution
The solution is to disable the certificate verification using the MYSQL_ATTR_SSL_VERIFY_SERVER_CERT PDO setting
for development (local and preview) environments. This alone will fix the web server connection issues, but
does not fix the Drush CLI connection unless you're using version 13.7.0 and above.
if ($cert_path = $skpr->get('mysql.default.ca.crt')) {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_CA] = $cert_path;
}
else {
$databases['default']['default']['pdo'][\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = FALSE;
}
We have worked with Drush to include a change that will disable the peer verification for the CLI when the above is set and this change was released in Drush 13.7.0. You will need to upgrade to Drush 13.7.0 to fix the issue for the CLI.
If for some reason you can't upgrade to Drush 13.7.0, please contact a Skpr platform team member as there are workarounds
for connecting, but they are not as seemless as Drush sql:cli or similar.
Testing
You can test your changes by switching to the latest image tag for your PHP containers (fpm and cli). These are
located in .skpr/package/cli/Dockerfile and .skpr/package/fpm/Dockerfile.
Once the container is deployed you can confirm Apline version with cat /etc/issue (3.21).
You can use drush version to check Drush version (13.7.0)
Finally a drush sql:cli command should work without certificate errors on a preview environment.
Timeline
We will roll the alpine upgrade out to stable images on Monday, 16th February 2026.