From a4e5ec7bd0b8d6f2932c408128bfb926d12235cb Mon Sep 17 00:00:00 2001
From: Chris Johnson <cjohnson@phase2technology.com>
Date: Mon, 9 Feb 2026 17:38:50 -0500
Subject: [PATCH 1/2] Configure drush to skip requiring ssl for remote db
 connections

Last week Docksal switched from bookworm to trixie as their base.
See https://github.com/docksal/service-cli/commit/63e34dba22acdd1f3a15f331e289c071b2397379

Bookworm was using MariaDB 10.11 for the client package while Trixie uses
MariaDB 11.8 for it. MariaDB at version 11.4 started defaulting to requiring SSL
for remote database connections.

See https://mariadb.com/docs/server/security/securing-mariadb/encryption/data-in-transit-encryption/securing-connections-for-client-and-server

With the db in a docker container even local development considers the db
to be remote. Thus requiring at least a self signed certificate for local
development as well as configuration to either ignore validation or to treat
the self signed certificate as valid.

Drush for doesn't honor flags disabling ssl in ~/.my.cnf or /etc/mysql/my.cnf
as far as I can tell and https://github.com/drush-ops/drush/issues/6355 seems
to validate. So this seems to be the best way to disable requiring SSL.
---
 src/Dockerfile                          | 3 +++
 src/home/docker/.drush/config/drush.yml | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 src/home/docker/.drush/config/drush.yml

diff --git a/src/Dockerfile b/src/Dockerfile
index 05a5c24..89eda8d 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -73,6 +73,9 @@ RUN \
   # Also write yarn to the default-packages file to be installed with nvm
   . "$HOME"/.profile && echo "yarn" > "$NVM_DIR"/default-packages
 
+RUN mkdir -p /home/docker/.drush/config
+COPY ./home/docker/.drush/config/drush.yml /home/docker/.drush/config
+
 ENV PATH=$PATH:/var/www/vendor/bin
 # IMPORTANT! Switching back to the root user as the last instruction.
 USER root
diff --git a/src/home/docker/.drush/config/drush.yml b/src/home/docker/.drush/config/drush.yml
new file mode 100644
index 0000000..890d1fc
--- /dev/null
+++ b/src/home/docker/.drush/config/drush.yml
@@ -0,0 +1,7 @@
+  sql:
+    cli:
+      options:
+        extra: '--skip-ssl'
+    query:
+      options:
+        extra: '--skip-ssl'

From 462e967b79394967e6045d50689679272e3ae2e1 Mon Sep 17 00:00:00 2001
From: Chris Johnson <cjohnson@phase2technology.com>
Date: Tue, 10 Feb 2026 09:36:19 -0500
Subject: [PATCH 2/2] Defaulting some more commands to disable ssl.

Picked up this config from lagoon images.
https://github.com/uselagoon/lagoon-images/pull/1276/changes
https://github.com/uselagoon/lagoon-images/blob/main/images/php-cli-drupal/drush.yml

Testing seems to show that older versions of Drush ignores the options
they aren't familiar with. At least 12.5.3.0 does.
---
 src/home/docker/.drush/config/drush.yml | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/home/docker/.drush/config/drush.yml b/src/home/docker/.drush/config/drush.yml
index 890d1fc..22b2fe6 100644
--- a/src/home/docker/.drush/config/drush.yml
+++ b/src/home/docker/.drush/config/drush.yml
@@ -1,7 +1,23 @@
+command:
   sql:
     cli:
       options:
-        extra: '--skip-ssl'
+        extra: '--disable-ssl'
     query:
       options:
-        extra: '--skip-ssl'
+        extra: '--disable-ssl'
+    dump:
+      options:
+        extra: '--disable-ssl'
+        extra-dump: '--disable-ssl'
+    drop:
+      options:
+        extra: '--disable-ssl'
+    create:
+      options:
+        extra: '--disable-ssl'
+  site:
+    install:
+      options:
+        extra: '--disable-ssl'
+