louislam · RooHTaylor · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/server/database.js b/server/database.js
@@ -165,7 +165,7 @@
      * Read the database config
      * @throws {Error} If the config is invalid
      * @typedef {string|undefined} envString
-     * @returns {{type: "sqlite"} | {type:envString, hostname:envString, port:envString, database:envString, username:envString, password:envString}} Database config
+     * @returns {{type: "sqlite"} | {type:envString, hostname:envString, port:envString, database:envString, username:envString, password:envString, ssl:boolean, ssl_ca:envString}} Database config
      */
     static readDBConfig() {
         let dbConfig;
@@ -185,13 +185,37 @@
 
     /**
      * @typedef {string|undefined} envString
-     * @param {{type: "sqlite"} | {type:envString, hostname:envString, port:envString, database:envString, username:envString, password:envString}} dbConfig the database configuration that should be written
+     * @param {{type: "sqlite"} | {type:envString, hostname:envString, port:envString, database:envString, username:envString, password:envString, ssl:boolean, ssl_ca:envString}} dbConfig the database configuration that should be written
      * @returns {void}
      */
     static writeDBConfig(dbConfig) {
         fs.writeFileSync(path.join(Database.dataDir, "db-config.json"), JSON.stringify(dbConfig, null, 4));
     }
 
+    /**
+     * Conditionally generates the MySQL SSL configuration object.
+     * @param {{type: "sqlite"} | {type:envString, hostname:envString, port:envString, database:envString, username:envString, password:envString, ssl:boolean, ssl_ca:envString}} dbConfig the database configuration
+     * @returns {{ssl: object} | undefined} An object containing the ssl configuration, or undefined if SSL is not enabled.
+     */
+    static getSslConfig(dbConfig) {
+        if (!dbConfig.ssl) {
+            return undefined;
+        }
+
+        const sslOptions = {};
+        if (dbConfig.ssl_ca) {
+            try {
+                sslOptions.ca = fs.readFileSync(dbConfig.ssl_ca, "utf8");
+            } catch (error) {
+                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+                sslOptions.rejectUnauthorized = false;
-                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
-                sslOptions.rejectUnauthorized = false;
+                log.error("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+                throw new Error(`Failed to read database SSL CA file from ${dbConfig.ssl_ca}: ${error.message}`);
-                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
-                sslOptions.rejectUnauthorized = false;
+                log.error("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+                throw new Error(`Failed to read database SSL CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+            }
+        } else {
+            sslOptions.rejectUnauthorized = false;
+        }
-        if (dbConfig.ssl_ca) {
-            try {
-                sslOptions.ca = fs.readFileSync(dbConfig.ssl_ca, "utf8");
-            } catch (error) {
-                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
-                sslOptions.rejectUnauthorized = false;
-            }
-        } else {
-            sslOptions.rejectUnauthorized = false;
-        }
+
+        // Default to secure behavior: verify certificates unless explicitly disabled.
+        let rejectUnauthorized = true;
+        const rejectEnv = process.env.UPTIME_KUMA_DB_SSL_REJECT_UNAUTHORIZED;
+        if (typeof rejectEnv === "string" && rejectEnv.toLowerCase() === "false") {
+            rejectUnauthorized = false;
+        }
+
+        if (dbConfig.ssl_ca) {
+            try {
+                sslOptions.ca = fs.readFileSync(dbConfig.ssl_ca, "utf8");
+            } catch (error) {
+                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+            }
+        }
+
+        sslOptions.rejectUnauthorized = rejectUnauthorized;
-        if (dbConfig.ssl_ca) {
-            try {
-                sslOptions.ca = fs.readFileSync(dbConfig.ssl_ca, "utf8");
-            } catch (error) {
-                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
-                sslOptions.rejectUnauthorized = false;
-            }
-        } else {
-            sslOptions.rejectUnauthorized = false;
-        }
+
+        // Default to secure behavior: verify certificates unless explicitly disabled.
+        let rejectUnauthorized = true;
+        const rejectEnv = process.env.UPTIME_KUMA_DB_SSL_REJECT_UNAUTHORIZED;
+        if (typeof rejectEnv === "string" && rejectEnv.toLowerCase() === "false") {
+            rejectUnauthorized = false;
+        }
+
+        if (dbConfig.ssl_ca) {
+            try {
+                sslOptions.ca = fs.readFileSync(dbConfig.ssl_ca, "utf8");
+            } catch (error) {
+                log.warn("db", `Failed to read CA file from ${dbConfig.ssl_ca}: ${error.message}`);
+            }
+        }
+
+        sslOptions.rejectUnauthorized = rejectUnauthorized;
+        return { ssl: sslOptions };
+    }
+
     /**
      * Connect to the database
      * @param {boolean} testMode Should the connection be started in test mode?
@@ -284,6 +308,7 @@
                 port: dbConfig.port,
                 user: dbConfig.username,
                 password: dbConfig.password,
+                ...Database.getSslConfig(dbConfig),
             });
 
             // Set to true, so for example "uptime.kuma", becomes `uptime.kuma`, not `uptime`.`kuma`
@@ -302,6 +327,7 @@
                     password: dbConfig.password,
                     database: dbConfig.dbName,
                     timezone: "Z",
+                    ...Database.getSslConfig(dbConfig),
                     typeCast: function (field, next) {
                         if (field.type === "DATETIME") {
                             // Do not perform timezone conversion

diff --git a/server/setup-database.js b/server/setup-database.js
@@ -102,6 +102,8 @@ class SetupDatabase {
             dbConfig.dbName = process.env.UPTIME_KUMA_DB_NAME;
             dbConfig.username = getEnvOrFile("UPTIME_KUMA_DB_USERNAME");
             dbConfig.password = getEnvOrFile("UPTIME_KUMA_DB_PASSWORD");
+            dbConfig.ssl = process.env.UPTIME_KUMA_DB_SSL === "1";
+            dbConfig.ssl_ca = process.env.UPTIME_KUMA_DB_SSL_CA;
             Database.writeDBConfig(dbConfig);
         }
     }
@@ -239,6 +241,7 @@ class SetupDatabase {
                             user: dbConfig.username,
                             password: dbConfig.password,
                             database: dbConfig.dbName,
+                            ...Database.getSslConfig(dbConfig),
                         });
                         await connection.execute("SELECT 1");
                         connection.end();