From 6df7c4ab3956d6761d87235b326d92923f4635bf Mon Sep 17 00:00:00 2001 From: master3395 Date: Tue, 17 Feb 2026 00:07:09 +0100 Subject: [PATCH] Install/upgrade: ensure MariaDB client no-SSL in all modules and monolithic (ERROR 2026 fix) --- cyberpanel_upgrade_monolithic.sh | 11 ++++ .../MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md | 51 +++++++++++++++++++ upgrade_modules/03_mariadb.sh | 15 ++++++ upgrade_modules/05_repository.sh | 3 ++ 4 files changed, 80 insertions(+) create mode 100644 to-do/MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md diff --git a/cyberpanel_upgrade_monolithic.sh b/cyberpanel_upgrade_monolithic.sh index 5f4a2d8a7..a7a4a51fd 100644 --- a/cyberpanel_upgrade_monolithic.sh +++ b/cyberpanel_upgrade_monolithic.sh @@ -1029,6 +1029,17 @@ if [[ "$Server_OS" = "openEuler" ]] ; then dnf install python3 -y fi #all pre-upgrade operation for openEuler + + # Ensure MariaDB client no-SSL on every upgrade path (avoids ERROR 2026 when server has have_ssl=DISABLED) + mkdir -p /etc/my.cnf.d + printf "[client]\nssl=0\nskip-ssl\n" > /etc/my.cnf.d/cyberpanel-client.cnf 2>/dev/null || true + if [[ -f /etc/my.cnf ]] && ! grep -q '^\[client\]' /etc/my.cnf 2>/dev/null; then + echo -e "\n[client]\nssl=0\nskip-ssl" >> /etc/my.cnf + fi + if [[ -d /etc/mysql/mariadb.conf.d ]]; then + printf "[client]\nssl=0\nskip-ssl\n" > /etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf 2>/dev/null || true + fi + echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB client no-SSL config ensured." | tee -a /var/log/cyberpanel_upgrade_debug.log } Download_Requirement() { diff --git a/to-do/MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md b/to-do/MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md new file mode 100644 index 000000000..aaaf074d3 --- /dev/null +++ b/to-do/MARIADB-CLIENT-NO-SSL-INSTALL-UPGRADE.md @@ -0,0 +1,51 @@ +# MariaDB Client No-SSL (ERROR 2026 Fix) – Install and Upgrade Coverage + +This document summarizes where the MariaDB client “no SSL” configuration is applied so that **install** and **upgrade** both work when the server has `have_ssl=DISABLED` (avoids `ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it`). + +## What gets applied + +- **`[client]`** with **`ssl=0`** and **`skip-ssl`** in: + - `/etc/my.cnf.d/cyberpanel-client.cnf` (RHEL/AlmaLinux/CentOS) + - `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` (Debian/Ubuntu, when that directory exists) + - Optionally appended to **`/etc/my.cnf`** if it has no `[client]` section + +## Install path + +| Location | What happens | +|----------|----------------| +| **install/install.py** | Writes `/root/.my.cnf` with `[client]` including `ssl=0` and `skip-ssl`. When `remotemysql == 'OFF'`, calls `_ensure_mariadb_client_no_ssl()` which creates `/etc/my.cnf.d/cyberpanel-client.cnf` (RHEL) and `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` (Debian/Ubuntu). | + +So every **fresh install** (local MariaDB) gets the client no-SSL config. + +## Upgrade path (modular: `cyberpanel_upgrade.sh` + `upgrade_modules/`) + +| Module | What happens | +|--------|----------------| +| **03_mariadb.sh** | Defines **`Ensure_MariaDB_Client_No_SSL()`** (writes `cyberpanel-client.cnf`, optional `[client]` in `my.cnf`, and Debian `99-cyberpanel-client.cnf`). Called at end of **`Pre_Upgrade_CentOS7_MySQL`** when that path runs. | +| **05_repository.sh** | After all OS-specific repository and MariaDB install/upgrade logic (CentOS, AlmaLinux 9, Ubuntu/Debian, openEuler), calls **`Ensure_MariaDB_Client_No_SSL`** once. Every RHEL/DNF path also writes `cyberpanel-client.cnf` and optional `my.cnf` [client] inline; Ubuntu/Debian get the fix via this single call. | + +So every **modular upgrade** run applies the client no-SSL config on all supported OSes. + +## Upgrade path (monolithic: `cyberpanel_upgrade_monolithic.sh`) + +| Location | What happens | +|----------|----------------| +| **Pre_Upgrade_Setup_Repository** | Each RHEL/DNF branch already creates `/etc/my.cnf.d/cyberpanel-client.cnf` with `ssl=0` and `skip-ssl` and optionally appends `[client]` to `/etc/my.cnf`. At the **end** of the same function (after Ubuntu and openEuler blocks), a single block runs that: creates `cyberpanel-client.cnf`, appends `[client]` to `my.cnf` if missing, and creates `/etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf` on Debian/Ubuntu. | + +So every **monolithic upgrade** run also ensures the client no-SSL config on all paths. + +## Verification + +After install or upgrade: + +```bash +mariadb -e "SELECT 1" +# or +mariadb -e "SELECT @@version;" +``` + +If these work without `ERROR 2026`, the client no-SSL configuration is in effect. + +## Manual fix (if needed) + +See **to-do/fix-phpmyadmin-mariadb-version-on-server.md** for a manual one-off fix on a single server. diff --git a/upgrade_modules/03_mariadb.sh b/upgrade_modules/03_mariadb.sh index f70e3fae4..8fe8ddb4e 100644 --- a/upgrade_modules/03_mariadb.sh +++ b/upgrade_modules/03_mariadb.sh @@ -17,6 +17,7 @@ Pre_Upgrade_CentOS7_MySQL() { mariadb-upgrade -uroot -p"$MySQL_Password" 2>/dev/null || mysql_upgrade -uroot -p"$MySQL_Password" fi mariadb -uroot -p"$MySQL_Password" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '$MySQL_Password';flush privileges" 2>/dev/null || mysql -uroot -p"$MySQL_Password" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '$MySQL_Password';flush privileges" + Ensure_MariaDB_Client_No_SSL } Maybe_Backup_MariaDB_Before_Upgrade() { @@ -86,3 +87,17 @@ Migrate_MariaDB_To_UTF8() { done echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB UTF-8 (utf8mb4) migration completed." | tee -a /var/log/cyberpanel_upgrade_debug.log } + +# Ensure MariaDB client connects without SSL (avoids ERROR 2026 when server has have_ssl=DISABLED). +# Call after any MariaDB install/upgrade so install and upgrade paths both get the fix. +Ensure_MariaDB_Client_No_SSL() { + mkdir -p /etc/my.cnf.d + printf "[client]\nssl=0\nskip-ssl\n" > /etc/my.cnf.d/cyberpanel-client.cnf 2>/dev/null || true + if [[ -f /etc/my.cnf ]] && ! grep -q '^\[client\]' /etc/my.cnf 2>/dev/null; then + echo -e "\n[client]\nssl=0\nskip-ssl" >> /etc/my.cnf + fi + if [[ -d /etc/mysql/mariadb.conf.d ]]; then + printf "[client]\nssl=0\nskip-ssl\n" > /etc/mysql/mariadb.conf.d/99-cyberpanel-client.cnf 2>/dev/null || true + fi + echo -e "[$(date +"%Y-%m-%d %H:%M:%S")] MariaDB client no-SSL config ensured (cyberpanel-client.cnf, optional my.cnf [client])." | tee -a /var/log/cyberpanel_upgrade_debug.log +} diff --git a/upgrade_modules/05_repository.sh b/upgrade_modules/05_repository.sh index 675169f75..48f38cc57 100644 --- a/upgrade_modules/05_repository.sh +++ b/upgrade_modules/05_repository.sh @@ -496,5 +496,8 @@ if [[ "$Server_OS" = "openEuler" ]] ; then dnf install python3 -y fi #all pre-upgrade operation for openEuler + + # Ensure MariaDB client no-SSL on every upgrade path (install and upgrade; avoids ERROR 2026) + Ensure_MariaDB_Client_No_SSL }