Database ssl support

[RooHTaylor]

What problem does this pull request address?

This pull request solves the issue of unencrypted database traffic to an external MariaDB/MySQL database for the Uptime-Kuma back-end database.

Please provide a detailed explanation here.

When connecting to an external MariaDB database as the back-end database, SSL is not an option. This isn't an issue if the database is on the host, but if the database server is not local then best practice would dictate encryption be used.

I'm not a Node programmer, and I didn't have a wealth of time to invest into the functionality, so hopefully this is good enough.

My changes allow for SSL encryption between Uptime-Kuma and a MariaDB database, with the option of providing a CA certificate to verify the server. I did not implement sending client certificates, though my code could easily be expanded to include this in the function to generate the sslOptions.

The change adds two new environment variable options - UPTIME_KUMA_DB_SSL which should be true to enable ssl, and optionally UPTIME_KUMA_DB_SSL_CA which should be the path to the trusted CA certificate for verification. If a CA is not provided or cannot be opened, but SSL is toggled on, then rejectUnauthorized = false is set by default, which will not validate the server certificate.

I was torn between failing to connect if a CA is provided but unavailable (i.e. can't open file), and ended up settling on logging an error and turning off verification. I'm still torn on whether this is the right method, but it's what the code says right now, and it can be changed if someone disagrees.

The change also adds two entries to the dbConfig.json file: ssl:boolean, ssl_ca:envString.

If those options are false or not set, then the database connection happens as normal.

• Resolves Add TLS/SSL support for MariaDB/MySQL connections via Docker Compose #6224
• Resolves MariaDB allow secure connection #5900
• May resolve Cannot connect to azure mysql flexible server while --require_secure_transport=ON #5344 if the issue is describing the back-end database connection and not a monitoring connection - I can't tell from the description/comments. But if it is the back-end database, this should satisfy the require_secure_transport condition.

🛠️ Type of change

• 🐛 Bugfix (a non-breaking change that resolves an issue)
• ✨ New feature (a non-breaking change that adds new functionality)
• ⚠️ Breaking change (a fix or feature that alters existing functionality in a way that could cause issues)
• 🎨 User Interface (UI) updates
• 📄 New Documentation (addition of new documentation)
• 📄 Documentation Update (modification of existing documentation)
• 📄 Documentation Update Required (the change requires updates to related documentation)
• 🔧 Other (please specify):
  • Provide additional details here.

📄 Checklist

• 🔍 My code adheres to the style guidelines of this project.
• 🦿 I have indicated where (if any) I used an LLM for the contributions
• ✅ I ran ESLint and other code linters for modified files.
  I couldn't get ESLint working. If this is a critical step I'll try to carve out some time for it.
• [~] 🛠️ I have reviewed and tested my code.
  I have only tested in my environment, which is bare metal Debian 13 running Node 24.11.0
  I don't use Docker, but I can't think of a reason why this wouldn't work in the Docker deployment.
• 📝 I have commented my code, especially in hard-to-understand areas (e.g., using JSDoc for methods).
• ⚠️ My changes generate no new warnings.
• 🤖 My code needed automated testing. I have added them (this is an optional task).
• 📄 Documentation updates are included (if applicable).
  Documentation changes will need to be in the wiki after the PR is merged. Not sure where to include them
• 🔒 I have considered potential security impacts and mitigated risks.
• 🧰 Dependency updates are listed and explained.
• 📚 I have read and understood the Pull Request guidelines.