"The certificate chain was issued by an authority that is not trusted" when connecting DB in VM Role from Azure website

Question

I am experiencing an error when connecting MY DB which is in VM Role (I have SQL VM Role) from Azure Website. Both VM Role and Azure Website are in West zone. I am facing the following issue:

SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]

I am able to connect to my DB using SSMS. Port 1433 is open on my VM role. What is wrong with my connection?

Answer 1

2022 Update - This answer (as comments point out) provides an explanation and stop gap, but also offers some better recommendations including purchasing and installing a proper cert (thanks to numerous community edits).

Please see also the other highly voted answers in this thread, including the one by @Alex From Jitbit below about a breaking change when migrating from System.Data.Sql to Microsoft.Data.Sql (spoiler: Encrypt is now set to true by default).

Original answer:

You likely don't have a CA signed certificate installed in your SQL VM's trusted root store.

If you have Encrypt=True in the connection string, either set that to off (not recommended), or add the following in the connection string (also not recommended):

TrustServerCertificate=True

SQL Server will create a self-signed certificate if you don't install one for it to use, but it won't be trusted by the caller since it's not CA-signed, unless you tell the connection string to trust any server cert by default.

Long term, I'd recommend leveraging Let's Encrypt to get a CA signed certificate from a known trusted CA for free, and install it on the VM. Don't forget to set it up to automatically refresh. You can read more on this topic in SQL Server books online under the topic of "Encryption Hierarchy", and "Using Encryption Without Validation".

Answer 2

I decided to add another answer, because this post pops-up as the first Google result for this error.

If you're getting this error after January 2022, possibly after migrating from System.Data.SqlClient to Microsoft.Data.SqlClient or just updating Microsoft.Data.SqlClient to version 4.0.0 or later, it's because MS has introduced a breaking change:

https://learn.microsoft.com/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace?view=sql-server-ver15#breaking-changes-in-40

Breaking changes in 4.0

Changed Encrypt connection string property to be true by default.

The default value of the Encrypt connection setting has been changed from false to true. With the growing use of cloud databases and the need to ensure those connections are secure, it's time for this backwards-compatibility-breaking change.

Ensure connections fail when encryption is required

In scenarios where client encryption libraries were disabled or unavailable, it was possible for unencrypted connections to be made when Encrypt was set to true or the server required encryption.

The change was made in this SqlClient pull-request in August 2021, where there is additional discussion about the change.

The quick-fix is to add Encrypt=False to your connection-strings.

Answer 3

If you're using SQL Management Studio, please goto connection properties and click on "Trust server certificated"

Answer 4

If you're seeing this error message when attempting to connect using SSMS, add TrustServerCertificate=True to the Additional Connection Parameters.

Answer 5

I was getting this message in Entity Framework migrations. I was able to connect with Win Auth to the Sql Server and create table manually. But EF wouldn't work. This connection string finally worked

Server=MyServerName;Database=MyDbName;Trusted_Connection=SSPI;Encrypt=false;TrustServerCertificate=true

Answer 6

I added this 2 lines to the ConnectionString and it worked

Trusted_Connection=True
TrustServerCertificate=True

Answer 7

"ConnectionStrings": {
    "DefaultConnection": "Server=DESKTOP-O5SR0H0\\SQLEXPRESS;Database=myDataBase;Trusted_Connection=True;TrustServerCertificate=True;"
  }
}

Answer 8

If you use EF Core 7 there is a breaking change that explained in the official Microsoft doc https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes#encrypt-defaults-to-true-for-sql-server-connections

Answer 9

While the general answer was in itself correct, I found it did not go far enough for my SQL Server Import and Export Wizard orientated issue. Assuming you have a valid (and automatic) Windows Security based login:

ConnectionString

Data Source=localhost; 
Initial Catalog=<YOUR DATABASE HERE>; 
Integrated Security=True; 
Encrypt=True; 
TrustServerCertificate=True; 
User Instance=False

That can either be your complete ConnectionString (all on one line), or you can apply those values individually to their fields.

Answer 10

Turn off encryption in the connection string. You can achieve this by appending the following to your connection string:

encrypt=false

Answer 11

PM> Scaffold-DbContext "Server=localhost;Database=BookStoresDB;Trusted_Connection=True;TrustServerCertificate=True" Microsoft.EntityFrameworkCore.SqlServer -OutputDir Models

Using "TrustServerCertificate=True" solved Error "A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)"

Answer 12

Add Encrypt=False to your connection string and that's it

Answer 13

If You are trying to access it through Data Connections in Visual Studio 2015, and getting the above Error, Then Go to Advanced and set TrustServerCertificate=True for error to go away.

Answer 14

In my case, it wasn't enough to extend the connection string by
Encrypt=false;TrustServerCertificate=true;

I still had to type in the NuGet console:

update-database -verbose

Answer 15

If you use Version 18 and access via pyodbc, it is "TrustServerCertificate=yes", you need to add to the connection

Answer 16

I got this Issue while importing Excel data into SQLDatabase through SSMS. The solution is to set TrustServerCertificate = True in the security section

Answer 17

For those who don't like the TrustServerCertificate=True answer, if you have sufficient access you can export the SQL Server certificate and install where you're trying to connect from. This probably doesn't work for a SQL Server self-generated certificate but if you used something like New-SelfSignedCertificate you can use MMC to export the certificate, then MMC on the client to import it.

On SQL Server:

• In MMC add the certificate Snap-In
• Browse to Certificates > Personal > Certificate
• Select the new certificate, right-click, and select All Tasks > Manage Private Keys (this step and the following is part of making the key work with SQL server)
• Add the identity running SQL Server (look the identity up in Services if in doubt) with READ permission.
• Select the new certificate, right-click, and select All Tasks > Export...
• Use default settings and save as a file.

On the client:

• Use MMS with the same snap-in choices and in Certificates > Trusted Root Certification Authorities right-click Certificates and select All Tasks > Import...
• Import the previously exported file

(I was doing everything on the same server and still had issues with SSMS complaining until I restarted the SQL instance. Then I could connect encrypted without the Trust... checkbox checked)

Answer 18

When you are using SqlPackage.exe, the Encrypt=False in your connectionstring is ignored.

Add /TargetTrustServerCertificate:true to the SqlPackage command to fix this issue.

Answer 19

In my case i have chaged multiple time in appsettings.json but not changing in the development version of appsettingsDevelpment.json. after change the developemnt version of appsettings its works fine.

"ConnectionStrings": {
    "DefaultConnection": "Server=DESKTOP-M08SV8P;Database=ActivityProject;Trusted_Connection=True;TrustServerCertificate=True;"
  },

Answer 20

If you are using any connection attributes mentioned in the answers, the values accepted are yes/no , if true/false doesn't seem to work.

TrustServerCertificate - Accepts the strings "yes" and "no" as values. The default value is "no", which means that the server certificate will be validated.

Using ODBC 18.0 - hope it helps.

Connection String Attributes

Answer 21

I had the same issue after migrating a project from .NET 5 to .NET 6. I have tried suggested solutions (either TrustServerCertificate=True or Encrypt=False) and they worked as expected but I had a limitation to not change connection string. So if that is the case, you can still use System.Data.SqlClient as a nuget package. Like explained here it is still maintained but all the new stuff will go to Microsoft.Data.SqlClient.

Answer 22

In simple this is enough,if you are running locally

"ConnectionString": "Data Source=(local);Initial Catalog=BlazorDashboardDb;TrustServerCertificate=True;Integrated Security=True;",

TrustServerCertificate makes SSL handling Integrated Security makes windows validation,if sql authentication the add parameter as "User ID=adminUsername;Password=adminSecretPasswordwhatever"

TO cover all sceanrio then below helps "Data Source=(local);Initial Catalog=BlazorDashboardDb;TrustServerCertificate=True;Trusted_Connection=True;Integrated Security=True;MultipleActiveResultSets=true;Encrypt=True;"

Trusted_Connection is for trusting the mode of connection Encrypt is for crednetials

Connecting to server(az-sql) ex: "Server=tcp:firstserver.database.windows.net,1433;Initial Catalog=First;Persist Security Info=False;User ID=adminUsername;Password=adminSecretPasswordwhatever;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;"

Answer 23

I ran into this error trying to run the profiler, even though my connection had Trust server certificate checked and I added TrustServerCertificate=True in the Advanced Section. I changed to an instance of SSMS running as administrator and the profiler started with no problem. (I previously had found that when my connections even to local took a long time to connect, running as administrator helped).

Answer 24

Got hit by the same issue while accessing SQLServer from IIS. Adding TrustServerCertificate=True did not help.

Could see a comment in MS docs: Make sure the SQLServer service account has access to the TLS Certificate you are using. (NT Service\MSSQLSERVER)

Open personal store and right click on the certificate -> manage private keys -> Add the SQL service account and give full control.

Restart the SQL service. It worked.

Answer 25

Short notice. If you're using AWS RDS you can get the certificates from truststore.pki.rds.amazonaws.com. Details with particular links can be found in this documentation: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html.

Simply download the appropriate certificate and install it on your host.

Answer 26

If you have created an ODBC connection to the server (using ODBC Driver 18 for SQL server) in ODBC settings (32 or 64), configure the connection and press Next 3 times. In the final screen, there is a "Trust server certificate" checkbox in the middle. Set it to checked. That will do the trick. Adding "TrustServerCertificate=True" to the connectionstring as suggested in other answers did not work for me.

Answer 27

Alternatively, create a Service Master Key (SMK) based on an exported server certficate from your MMC console - export as a pfx with a password. Using that certificate, engage in the following steps

CREATE MASTER KEY ENCRYPTION BY PASSWORD='Password1234!@#$'

From you exported certificate, run the batch file

@echo off 
echo Create a new password at the pop-up. 
echo This is NOT the same as the one you provided above. 
echo You'll be asked to create, confirm and re-enter the password (total 3 times) 
echo Creating Certificate (CER) and Key (PVK). 
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\x64\makecert.exe" -sv %1.pvk -n "CN=%2" %1.cer 
echo On prompt, again (4th and last time) provide the password you just created. 
echo Merging the two files into a PFX now. 
"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\pvk2pfx.exe" -pvk %1.pvk -spc %1.cer -pfx %1.pfx -po %3

CREATE YOUR ASSYMETRIC KEY

CREATE CERTIFICATE MYDB_ASYMMETRIC_CA_KEY  FROM FILE='C:\MYDB_ASSYMETRIC_CA_KEY.cer'
  WITH PRIVATE KEY(FILE='C:\ MYDB_ASSYMETRIC_CA_KEY.pvk'
  DECRYPTION BY PASSWORD='Password1234!@#$'); 

For redundancy, check that your master key is in place... it is a must

ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD='Password1234!@#$'

NOW CREATE THE ACTUAL KEY

CREATE CERTIFICATE MYDB_ASYMMETRIC_CA_KEY FROM FILE='c:\MYDB_ASYMMETRIC_CA_KEY.cer' 
WITH PRIVATE KEY (FILE='C:\MYDB_ASYMMETRIC_CA_KEY.pvk',
DECRYPTION BY PASSWORD='Password1234!@#$');

ALWAYS ALWAYS Backup your certificate in the event you need to move to another server. You'll need it to decrypt your backup files

BACKUP CERTIFICATE MYDB_ASYMMETRIC_CA_KEY TO FILE='MYDB_ASYMMETRIC_CA_KEY_BACKUP.bkp' 
WITH PRIVATE KEY(FILE='MYDB_ASYMMETRIC_CA_KEY_BACKUP.bkp',
ENCRYPTION BY PASSWORD='Password1234!@#$'); 

CREATE Database Level Encryption to wrangle in your certificate

CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM=AES_256
ENCRYPTION BY SERVER CERTIFICATE MYDB_ASYMMETRIC_CA_KEY

Check the steps above before going to the next step as from here on in, your database will be encrypted with an Assymentric Key - if you haven't backed it up (the key) and you try to restore from another server, it won't be possible without all the above steps in place.

On another database - for example a Staging Database - Restore the Master key from the certificate.

You have your Service Master Key in place, to encrypt the database, you need to encrypt the Database Master Key as this allows the export of the database to another server using the certificate you've created above.

TESTING THE Certificate by importing to another server

RESTORE MASTER KEY FROM FILE='C:\ MYDB_ASSYMETRIC_CA_KEY_BACKUP'
 DECRYPTION BY PASSWORD='Password1234!@#$', ENCRYPTION BY PASSWORD='Password1234!@#$'
 ,[FORCE]

Check to see if the Content exists on the alternate server (this will work on the primary as well)

USE [AUTHORIZATION]; 
 IF NOT EXISTS ( SELECT
 1
 FROM
 sys.dm_database_encryption_keys
 WHERE
 DB_NAME(database_id) = DB_NAME() )
 SELECT
 DB_NAME() AS [Database Name]
 ,'No database encryption key present, no encryption' AS [Encryption
 State] 
 ELSE
 SELECT
 DB_NAME(database_id) AS [Database Name]
 ,CASE encryption_state
 WHEN 0 THEN 'No database encryption key present, no encryption'
 WHEN 1 THEN 'Unencrypted'
 WHEN 2 THEN 'Encryption in progress'
 WHEN 3 THEN 'Encrypted'
 WHEN 4 THEN 'Key change in progress'
 WHEN 5 THEN 'Decryption in progress'
 WHEN 6 THEN 'Protection change in progress'
 END AS [Encryption State]
 FROM
 sys.dm_database_encryption_keys
 WHERE
 DB_NAME(database_id) = DB_NAME(); 

Answer 28

Guid on how to make encrypt = False using SSMS. Only for local development purpose. Not recommended for production use cases.

1. Click on options>>
2. As shown in the pic, de-select Encrypt connection.
3. Click connect. <<** boom **>>.

Answer 29

The same can be achieved from ssms client itself. Just open the ssms, insert the server name and then from options under heading connection properties make sure Trust server certificate is checked.

Answer 30

I was getting the same error when trying to connect to MS SQL Server instance hosted on Google Cloud Platform using SSMS with unchecked Trust server certificate under the connection properties tab. I managed to trust the certificate by importing the GCP's provided certificate's authority to my local computer's list of Trusted Root Certification Authorities.

Read full description and resolution here.

Answer 31

Well in my case the Database was bad. When I re created a new database name the error got resolved. It's an error coming from SQL Server database. Try re creating a new database.