The recent release of mariadb-11.4.2 creates a quite annoying issue, the installation script will create /var/lib/misc/.mariadb_run_upgrade, since a mysql_upgrade should be done with the version change.

The next time systemd tries to start mariadb /usr/libexec/mysql/mysql-systemd-helper sees that .mariadb_run_upgrade exists, and that enables the upgrade flag.

Here comes the problem, since mariadb 11.3 the upgrade function has ssl verification enabled by default.

So if the mariadb server has any self-signed cert, any custom cert, or the hostname doesn't match, the verification will fail. And hence the upgrade and the script will fail.

mysql_upgrade will refuse the connection, and the script isn't designed to handle this.

--disable-ssl-verify-server-cert should be passed by default in the script

In line 119: "if /usr/bin/mysql_upgrade --disable-ssl-verify-server-cert"


And i don't know if the mysqladmin behaves in he same way (didn't check).

I think in some situations the .mariadb_run_upgrade may not be deleted too, even if the upgrade finished, that could cause a loop that will cause the upgrade script to run everytime mariadb is started from systemd, which is what happened to me and i had to delete the .mariadb_run_upgrade manually, but i'm not sure why. (i did the upgrade manually afterwards)