"Self-signed certificate in certificate chain" error when connecting with Azure MySQL

[betsegaw]

Issue

Trying to run a docker instance for Ghost 5.25.5 with an Azure MySQL 8 backend results in the container starting up but subsequently quitting with an error Self-signed certificate in certificate chain when using a certificate to connect to the backend. The certificate I think it is complaining about is SSL certificate I downloaded from the Azure portal for connecting to the SQL server instance.

How to repro

You can run the below command with the MY* content replaced appropriately with details you get from an Azure MySQL flexible server instance

docker run -it --rm -e url=http://MY.URL.COM -e database__client=mysql -e database__connection__host=MY_HOST.mysql.database.azure.com -e database__connection__user=MY_USERNAME -e database__connection__password=MY_PASSWORD -e database__connection__database=ghost -e database__connection__ssl__ca='-----BEGIN CERTIFICATE-----truncated-----END CERTIFICATE-----' -e NODE_ENV=production -p 2368:2368 ghost:5.25.5-alpine

Output

[2022-12-18 07:24:40] INFO Ghost is running in production...
[2022-12-18 07:24:40] INFO Your site is now available on http://MY.URL.COM/
[2022-12-18 07:24:40] INFO Ctrl+C to shut down
[2022-12-18 07:24:40] INFO Ghost server started in 0.359s
[2022-12-18 07:24:41] ERROR self signed certificate in certificate chain

self signed certificate in certificate chain

"Unknown database error"

Error ID:
    500

Error Code: 
    HANDSHAKE_SSL_ERROR

----------------------------------------

Error: self signed certificate in certificate chain
    at /var/lib/ghost/versions/5.25.5/node_modules/knex-migrator/lib/database.js:57:19
    at TLSSocket.<anonymous> (/var/lib/ghost/versions/5.25.5/node_modules/mysql2/lib/connection.js:357:54)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:953:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:734:12)

[2022-12-18 07:24:41] WARN Ghost is shutting down
[2022-12-18 07:24:41] WARN Ghost has shut down
[2022-12-18 07:24:41] WARN Your site is now offline
[2022-12-18 07:24:41] WARN Ghost was running for a few seconds

Possible resolutions (though I haven't been able to figure out how to do them correctly)

• Add the certificate to a trusted list somewhere so that it no longer shows up as a self-signed certificate (I trust the certificate itself).
  • Unfortunately, even following guides to install the certificate in the Debian version of the image, Ghost doesn't pick up the change (This is the guide I used to install the certificate)
• Certificate has issues (bad download, wrong format, etc...)
  • I have download the certificate twice and both times, the outcome has been the same.
  • Format also seems to be as expected since its a cer.pem download and removing the "pem" extension allowed the certificate installer to read the details of the certificate.