No way to disable TLS for mysql CLI during schema load; php artisan migrate fails with self-signed cert (ERROR 2026) #57059
Description
Laravel Version
v12.10.2
PHP Version
8.4.12
Database Driver & Version
MySQL 8 (Docker image mysql:8); client on runner/container is Debian 13’s default-mysql-client or mariadb-client (both the same)
Description
After generating a schema dump with php artisan schema:dump --prune, running php artisan migrate fails while loading the dump because Laravel shells out to the mysql CLI (MySqlSchemaState::load). On Debian 13 the MySQL/MariaDB client enables TLS by default, which results in ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain. There is no config/flag in Laravel to disable TLS for this CLI call (PDO SSL options don’t apply to the external mysql process). A small, opt-in way to control SSL for the schema load path would solve this for CI/dev environments.
@taylorotwell commented the code path that would allow disabling SSL for the schema load CLI in commit 1bfad3
Steps To Reproduce
- Start MySQL 8 (e.g. Docker
mysql:8) with env:MYSQL_DATABASE=testing,MYSQL_ROOT_PASSWORD=password. - Run Laravel on Debian 13 (e.g. container based on
serversideup/php:8.4-unit) and install a MySQL client (apt-get install default-mysql-clientor Oraclemysql-client). - Generate a dump once:
php artisan schema:dump --prune(dump exists atdatabase/schema/mysql-schema.sql). - Ensure no PDO SSL env (e.g. no
MYSQL_ATTR_SSL_CA) to keep PDO non-TLS; this issue is about the CLI import. - Run
php artisan migrate. - Observe failure during “Loading stored database schemas” with:
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
because the invoked mysql CLI defaults to TLS and there is no way in Laravel to pass --ssl-mode=DISABLED (MySQL) / --ssl=OFF (MariaDB) for the schema load.