Unable to Connect LimeSurvey Docker Image to MySQL with TLS Configuration

[aliridha1510]

Hi there,

I am trying to connect the LimeSurvey Docker image to a MySQL database that requires TLS. I'm using the following Docker image:

Docker Image: martialblog/limesurvey:latest MySQL: Hosted on Azure, configured with TLS I’ve been attempting to configure the database connection with TLS but haven't found any environment variables or documentation that describe how to pass the TLS certificates to the application.

Here are the logs from my LimeSurvey container:

2024-08-13T15:46:29.289499204Z Info: Customizing Apache Listen port to 8080
2024-08-13T15:46:29.381272907Z Info: Generating config.php
2024-08-13T15:46:29.381297307Z Info: Using MySQL configuration
2024-08-13T15:46:29.381300907Z Info: Using TCP connection
2024-08-13T15:46:29.381359509Z Connection to tst.mysql.database.azure.com (ip-addr) 3306 port [tcp/*] succeeded!
2024-08-13T15:46:29.414651772Z Warning: No encryption keys were provided
2024-08-13T15:46:29.441716992Z Warning: A security.php config will be created by the application
2024-08-13T15:46:29.441741292Z Warning: THIS FILE NEEDS TO BE PERSISTENT
2024-08-13T15:46:29.422466551Z Info: Creating security.php
2024-08-13T15:46:29.441754793Z Info: Check if database already provisioned. Nevermind the Stack trace.
2024-08-13T15:46:30.489426201Z CException: DataBase version are not found, seems LimeSurvey are not installed. in /var/www/html/application/commands/UpdateDbCommand.php:36
2024-08-13T15:46:30.489460202Z Stack trace:
2024-08-13T15:46:30.489465002Z #0 /var/www/html/vendor/yiisoft/yii/framework/console/CConsoleCommandRunner.php(71): UpdateDBCommand->run()
2024-08-13T15:46:30.489469002Z #1 /var/www/html/vendor/yiisoft/yii/framework/console/CConsoleApplication.php(92): CConsoleCommandRunner->run()
2024-08-13T15:46:30.489472402Z #2 /var/www/html/vendor/yiisoft/yii/framework/base/CApplication.php(185): CConsoleApplication->processRequest()
2024-08-13T15:46:30.489475902Z #3 /var/www/html/application/commands/console.php(77): CApplication->run()
2024-08-13T15:46:30.659248893Z #4 {main}
2024-08-13T15:46:30.659285194Z Running console.php install
2024-08-13T15:46:31.142253661Z CException: Invalid access data. Check your config.php db access data in /var/www/html/application/commands/InstallCommand.php:115
2024-08-13T15:46:31.142324063Z Stack trace:
2024-08-13T15:46:31.142329563Z #0 /var/www/html/application/commands/InstallCommand.php(50): InstallCommand->createDatabase()
2024-08-13T15:46:31.142333763Z #1 /var/www/html/vendor/yiisoft/yii/framework/console/CConsoleCommandRunner.php(71): InstallCommand->run()
2024-08-13T15:46:31.142337363Z #2 /var/www/html/vendor/yiisoft/yii/framework/console/CConsoleApplication.php(92): CConsoleCommandRunner->run()
2024-08-13T15:46:31.142340763Z #3 /var/www/html/vendor/yiisoft/yii/framework/base/CApplication.php(185): CConsoleApplication->processRequest()
2024-08-13T15:46:31.142344163Z #4 /var/www/html/application/commands/console.php(77): CApplication->run()
2024-08-13T15:46:31.775143163Z AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 169.254.131.11. Set the 'ServerName' directive globally to suppress this message
2024-08-13T15:46:31.897077158Z AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 169.254.131.11. Set the 'ServerName' directive globally to suppress this message
2024-08-13T15:46:32.210122531Z [Tue Aug 13 15:46:32.209931 2024] [mpm_prefork:notice] [pid 1:tid 1] AH00163: Apache/2.4.61 (Debian) PHP/8.1.29 configured -- resuming normal operations
2024-08-13T15:46:32.227067419Z [Tue Aug 13 15:46:32.226933 2024] [core:notice] [pid 1:tid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
2024-08-13T15:47:33.760Z INFO  - Waiting for response to warmup request for container limesurvey-test_1_1234. Elapsed time = 63.008981 sec
2024-08-13T15:47:49.770Z INFO  - Waiting for response to warmup request for container limesurvey-test_1_1234. Elapsed time = 63.008981 sec

My Attempt at Setting Up SSL/TLS

I attempted to set up the database connection using the following PHP code:

$conn = mysqli_init();
mysqli_ssl_set($conn, NULL, NULL, "/var/www/html/DigiCertGlobalRootCA.crt.pem", NULL, NULL);
mysqli_real_connect($conn, 'mydemoserver.mysql.database.azure.com', 'myadmin', 'yourpassword', 'quickstartdb', 3306, MYSQLI_CLIENT_SSL);
if (mysqli_connect_errno()) {
    die('Failed to connect to MySQL: '.mysqli_connect_error());
}

However, I couldn't find a way to directly pass the SSL certificate in the LimeSurvey configuration or through environment variables.

• Is there a way to pass the SSL/TLS certificate to the LimeSurvey image to secure the MySQL connection?
• If not, do I need to create a custom image to handle this?
• Any suggestions or workarounds to achieve a secure connection between LimeSurvey and MySQL using this image?

Any guidance or suggestions would be greatly appreciated!

Thank you!

[martialblog]

Hi, you should be able to set the TLS connection attributes in the config.php and then just mount it and the certificates and keys into the container.

cat config.php

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
return array(
  'components' => array(
    'db' => array(
      'connectionString' => 'mysql:host=mydbhost;port=3306;dbname=limesurvey;',
      'emulatePrepare' => true,
      'username' => 'root',
      'password' => 'changeme',
      'charset' => 'utf8mb4',
      'tablePrefix' => 'lime_',
      'attributes' => array(
          PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
          PDO::MYSQL_ATTR_SSL_KEY => '/ls/client-key.pem',
          PDO::MYSQL_ATTR_SSL_CERT => '/ls/client-cert.pem',
          PDO::MYSQL_ATTR_SSL_CA => '/ls/ca-cert.pem',
      ),
    ),
    'urlManager' => array(
      'urlFormat' => 'path',
      'rules' => array(),
      'showScriptName' => true,
    ),
  ),
  'config'=>array(
    'mysqlEngine' => 'MyISAM',
  )
);

If the certs are not dummy certs like mine, you can set PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => tue.

My LS Setup:

ls /tmp/lime 
config.php ca-cert.pem  client-cert.pem  client-key.pem

podman run -ti --rm -v /tmp//lime/:/ls -v /tmp/lime/config.php:/var/www/html/application/config/config.php -e DB_PASSWORD=changeme -e ADMIN_PASSWORD=changeme -e DB_HOST=mydbhost -p 8080:8080 docker.io/martialblog/limesurvey:6-apache     

My DB Setup:

ls /tmp/db 
1-server-ssl.cnf  ca-cert.pem  server-cert.pem  server-key.pem

cat /tmp/db/1-server-ssl.cnf 
[mariadbd]
ssl-ca = /etc/mysql/conf.d/ca-cert.pem
ssl-cert = /etc/mysql/conf.d/server-cert.pem
ssl-key = /etc/mysql/conf.d/server-key.pem

podman run --name mariadb -v /tmp/db:/etc/mysql/conf.d -e MARIADB_ROOT_PASSWORD=changeme -p 3306:3306 docker.io/mariadb:latest

Hope that helps.