Install/upgrade: ensure MariaDB client no-SSL in all modules and monolithic (ERROR 2026 fix)

cyberpanel_upgrade_monolithic.sh

@@ -1029,6 +1029,17 @@ if [[ "$Server_OS" = "openEuler" ]] ; then
   dnf install python3 -y
 fi
 #all pre-upgrade operation for openEuler
+
+  # Ensure MariaDB client no-SSL on every upgrade path (avoids ERROR 2026 when server has have_ssl=DISABLED)
+  mkdir -p /etc/my.cnf.d
+  printf "[client]\nssl=0\nskip-ssl\n" > /etc/my.cnf.d/cyberpanel-client.cnf 2>/dev/null || true
+  if [[ -f /etc/my.cnf ]] && ! grep -q '^\[client\]' /etc/my.cnf 2>/dev/null; then
+    echo -e "\n[client]\nssl=0\nskip-ssl" >> /etc/my.cnf
+  fi
+  if [[ -d /etc/mysql/mariadb.conf.d ]]; then
+    printf "[client]\nssl=0\nskip-ssl\n" > /etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf 2>/dev/null || true
+  fi
+  echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB client no-SSL config ensured." | tee -a /var/log/cyberpanel_upgrade_debug.log
 }
 
 Download_Requirement() {

to-do/MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md

@@ -0,0 +1,51 @@
+# MariaDB Client No-SSL (ERROR 2026 Fix) – Install and Upgrade Coverage
+
+This document summarizes where the MariaDB client “no SSL” configuration is applied so that **install** and **upgrade** both work when the server has `have_ssl=DISABLED` (avoids `ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it`).
+
+## What gets applied
+
+- **`[client]`** with **`ssl=0`** and **`skip-ssl`** in:
+  - `/etc/my.cnf.d/cyberpanel-client.cnf` (RHEL/AlmaLinux/CentOS)
+  - `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` (Debian/Ubuntu, when that directory exists)
+  - Optionally appended to **`/etc/my.cnf`** if it has no `[client]` section
+
+## Install path
+
+| Location | What happens |
+|----------|----------------|
+| **install/install.py** | Writes `/root/.my.cnf` with `[client]` including `ssl=0` and `skip-ssl`. When `remotemysql == 'OFF'`, calls `_ensure_mariadb_client_no_ssl()` which creates `/etc/my.cnf.d/cyberpanel-client.cnf` (RHEL) and `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` (Debian/Ubuntu). |
+
+So every **fresh install** (local MariaDB) gets the client no-SSL config.
+
+## Upgrade path (modular: `cyberpanel_upgrade.sh` + `upgrade_modules/`)
+
+| Module | What happens |
+|--------|----------------|
+| **03_mariadb.sh** | Defines **`Ensure_MariaDB_Client_No_SSL()`** (writes `cyberpanel-client.cnf`, optional `[client]` in `my.cnf`, and Debian `99-cyberpanel-client.cnf`). Called at end of **`Pre_Upgrade_CentOS7_MySQL`** when that path runs. |
+| **05_repository.sh** | After all OS-specific repository and MariaDB install/upgrade logic (CentOS, AlmaLinux 9, Ubuntu/Debian, openEuler), calls **`Ensure_MariaDB_Client_No_SSL`** once. Every RHEL/DNF path also writes `cyberpanel-client.cnf` and optional `my.cnf` [client] inline; Ubuntu/Debian get the fix via this single call. |
+
+So every **modular upgrade** run applies the client no-SSL config on all supported OSes.
+
+## Upgrade path (monolithic: `cyberpanel_upgrade_monolithic.sh`)
+
+| Location | What happens |
+|----------|----------------|
+| **Pre_Upgrade_Setup_Repository** | Each RHEL/DNF branch already creates `/etc/my.cnf.d/cyberpanel-client.cnf` with `ssl=0` and `skip-ssl` and optionally appends `[client]` to `/etc/my.cnf`. At the **end** of the same function (after Ubuntu and openEuler blocks), a single block runs that: creates `cyberpanel-client.cnf`, appends `[client]` to `my.cnf` if missing, and creates `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` on Debian/Ubuntu. |
+
+So every **monolithic upgrade** run also ensures the client no-SSL config on all paths.
+
+## Verification
+
+After install or upgrade:
+
+```bash
+mariadb -e "SELECT 1"
+# or
+mariadb -e "SELECT @@version;"
+```
+
+If these work without `ERROR 2026`, the client no-SSL configuration is in effect.
+
+## Manual fix (if needed)
+
+See **to-do/fix-phpmyadmin-mariadb-version-on-server.md** for a manual one-off fix on a single server.

upgrade_modules/03_mariadb.sh

@@ -17,6 +17,7 @@ Pre_Upgrade_CentOS7_MySQL() {
     mariadb-upgrade -uroot -p"$MySQL_Password" 2>/dev/null || mysql_upgrade -uroot -p"$MySQL_Password"
   fi
   mariadb -uroot -p"$MySQL_Password" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '$MySQL_Password';flush privileges" 2>/dev/null || mysql -uroot -p"$MySQL_Password" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '$MySQL_Password';flush privileges"
+  Ensure_MariaDB_Client_No_SSL
 }
 
 Maybe_Backup_MariaDB_Before_Upgrade() {
@@ -86,3 +87,17 @@ Migrate_MariaDB_To_UTF8() {
   done
   echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB UTF-8 (utf8mb4) migration completed." | tee -a /var/log/cyberpanel_upgrade_debug.log
 }
+
+# Ensure MariaDB client connects without SSL (avoids ERROR 2026 when server has have_ssl=DISABLED).
+# Call after any MariaDB install/upgrade so install and upgrade paths both get the fix.
+Ensure_MariaDB_Client_No_SSL() {
+  mkdir -p /etc/my.cnf.d
+  printf "[client]\nssl=0\nskip-ssl\n" > /etc/my.cnf.d/cyberpanel-client.cnf 2>/dev/null || true
+  if [[ -f /etc/my.cnf ]] && ! grep -q '^\[client\]' /etc/my.cnf 2>/dev/null; then
+    echo -e "\n[client]\nssl=0\nskip-ssl" >> /etc/my.cnf
+  fi
+  if [[ -d /etc/mysql/mariadb.conf.d ]]; then
+    printf "[client]\nssl=0\nskip-ssl\n" > /etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf 2>/dev/null || true
+  fi
+  echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB client no-SSL config ensured (cyberpanel-client.cnf, optional my.cnf [client])." | tee -a /var/log/cyberpanel_upgrade_debug.log
+}

upgrade_modules/05_repository.sh

@@ -496,5 +496,8 @@ if [[ "$Server_OS" = "openEuler" ]] ; then
   dnf install python3 -y
 fi
 #all pre-upgrade operation for openEuler
+
+  # Ensure MariaDB client no-SSL on every upgrade path (install and upgrade; avoids ERROR 2026)
+  Ensure_MariaDB_Client_No_SSL
 }