If you’ve recently rebuilt a Docker image based on Alpine Linux and your app suddenly can’t connect to MySQL with SSL certificate errors, you’ve hit a breaking change in Alpine 3.23.

The error looks like this:

ActiveRecord::ConnectionNotEstablished (TLS/SSL error: self-signed certificate in certificate chain)

What Changed

Alpine 3.23 upgraded the MariaDB Connector/C library from version 3.3.x to 3.4.x. Version 3.4 now verifies SSL certificates by default, whereas 3.3 did not.

If your MySQL server uses a self-signed certificate (common with RDS, internal infrastructure, or development environments), the new connector will reject the connection.

The Fix

Add this environment variable to your application container:

MARIADB_TLS_DISABLE_PEER_VERIFICATION=1

For Docker Compose:

services:
  app:
    image: your-app-image
    environment:
      - MARIADB_TLS_DISABLE_PEER_VERIFICATION=1

For other platforms (Kubernetes, ECS, etc.), add the same environment variable to your app container.

Why ssl_mode=DISABLED Doesn’t Work

You might try setting ssl_mode=DISABLED in your DATABASE_URL:

DATABASE_URL=mysql2://user:pass@host/db?ssl_mode=DISABLED

This doesn’t work because ssl_mode controls whether the client requests SSL. If your MySQL server requires SSL (like RDS), the connection still uses SSL and the connector’s certificate verification runs.

Hope this helps!