"The certificate chain was issued by an authority that is not trusted" when connecting DB in VM Role from Azure website

Question

I am experiencing an error when connecting MY DB which is in VM Role (I have SQL VM Role) from Azure Website. Both VM Role and Azure Website are in West zone. I am facing the following issue:

SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]

I am able to connect to my DB using SSMS. Port 1433 is open on my VM role. What is wrong with my connection?

Answer 1

I can't believe i can contribute to this question but here it goes:

None of the answers worked for me. Not a single one. What worked was -

In visual studio publish page -> More Actions -> Edit -> Expand "Databases" -> Check "Use this connection string at runtime" Now publish and it might work for you.

Answer 2

I Got the same error in SQL Server Data Tools (SSDT) for Visual Studio.

===================================

Encryption was enabled on this connection, review your SSL and certificate configuration for the target SQL Server, or enable 'Trust server certificate' in the connection dialog"

------------------------------
For help, click: https://aka.ms/ssdt

===================================

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.) (Framework Microsoft SqlClient Data Provider)

The solution is given in the error message but we have to concentrate on it. As shown in the following screenshot. The error was resolved after selecting the Trust server certificate option to true, Since I have not installed a certificate.

Answer 3

"ConnectionStrings": {
    "DefaultConnection": "Server=DESKTOP-O5SR0H0\\SQLEXPRESS;Database=myDataBase;Trusted_Connection=True;TrustServerCertificate=True;"
  }
}

Answer 4

If you are trying to access it through Data Connections in Visual Studio 2015, and getting the error above, Then Go to Advanced and set TrustServerCertificate=True for the error to go away.

Answer 5

If you're using SQL Management Studio, please go to Connection Properties and check "Trust server certificate".

Answer 6

SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.

Answer is must add TrustServerCertificate=True in your SQL server connection string.

Answer 7

Working in .NET SDK 8.0 with the following two different connection strings,

"ConnectionStrings": {
    "DefaultConnectionMSSQLNoCred": "Server=DESKTOP-99Q87I2\\MSSQLSERVER2017;Database=WebAPIGenericCRUD;Trusted_Connection=True;MultipleActiveResultSets=true;TrustServerCertificate=true",
    "connMSSQL": "Server=DESKTOP-99Q87I2\\MSSQLSERVER2017;Database=WebAPIGenericCRUD;User ID=sa;Password=dev123456;MultipleActiveResultSets=true;TrustServerCertificate=true"
  }

1. First connect string is Windows authentication
2. Second one is SQL Server authentication

You have to add this additional parameter, MultipleActiveResultSets=true

Answer 8

If this issue you are encountering in .NET 8/C# environment:

When you are checking for 'TrustServerCertificate=True', make sure you check on both SQLServer table(related to your connection string) & also the 'appsettings.json' of your application project where you suspect an issue (mostly it has do be with the security related project of your application or check your logs to find the root path)

If that is missing, add it so it is in both places.

Answer 9

Guide on how to make encrypt = False using SSMS. Only for local development purposes. Not recommended for production use cases.

1. Click on options>>
2. As shown in the pic, de-select the Encrypt connection.
3. Click connect. <<** boom **>>.

Answer 10

If you want to absolutely abandon all security:

While the general answer was in itself correct, I found it did not go far enough for my SQL Server Import and Export Wizard orientated issue. Assuming you have a valid (and automatic) Windows Security based login:

ConnectionString

Data Source=localhost; 
Initial Catalog=<YOUR DATABASE HERE>; 
Integrated Security=True; 
Encrypt=True; 
TrustServerCertificate=True; 
User Instance=False

That can either be your complete ConnectionString (all on one line), or you can apply those values individually to their fields.

Answer 11

I decided to add another answer, because this post pops-up as the first Google result for this error.

If you're getting this error after January 2022, possibly after migrating from System.Data.SqlClient to Microsoft.Data.SqlClient or just updating Microsoft.Data.SqlClient to version 4.0.0 or later, it's because MS has introduced a breaking change:

https://docs.microsoft.com/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace?view=sql-server-ver15#breaking-changes-in-40

Breaking changes in 4.0

Changed Encrypt connection string property to be true by default.

The default value of the Encrypt connection setting has been changed from false to true. With the growing use of cloud databases and the need to ensure those connections are secure, it's time for this backwards-compatibility-breaking change.

Ensure connections fail when encryption is required

In scenarios where client encryption libraries were disabled or unavailable, it was possible for unencrypted connections to be made when Encrypt was set to true or the server required encryption.

The change was made in this SqlClient pull-request in August 2021, where there is additional discussion about the change.

The quick-fix is to add Encrypt=false to your connection-strings.

Answer 12

In my case, I have changed multiple times in appsettings.json, but not in the development version of appsettings.Develpment.json. After change the development version of appsettings. it worked fine.

"ConnectionStrings": {
    "DefaultConnection": "Server=DESKTOP-M08SV8P;Database=ActivityProject;Trusted_Connection=True;TrustServerCertificate=True;"
},

Answer 13

In addition to the detailed information provided in other answers, if one is using PowerShell and needs to connect using the Invoke-Sqlcmd cmdlet then one of the easiest/quickest options to overcome this error is to use the -TrustServerCertificate switch:

Note: Just the -TrustServerCertificate switch without "=True".

For example:

invoke-sqlcmd -ServerInstance $your_srv -Query $your_query -ConnectionTimeout 5 -TrustServerCertificate

• above query assumes you're using AD/Windows Authentication.

Disclaimer: the installation of the appropriate certificates should not be compromised in order to maintain security.

HTH.

Answer 14

This answer provides an explanation and stop gap, but also offers some better recommendations including purchasing and installing a proper certificate.

Please see also the other highly voted answers in this thread, including this answer by Alex From Jitbit, about a breaking change when migrating from System.Data.Sql to Microsoft.Data.Sql (spoiler: Encrypt is now set to true by default).

---

You likely don't have a Certificate Authority(CA)-signed certificate installed in your SQL VM's trusted root store.

If you have Encrypt=True in the connection string, either set that to off (not recommended), or add the following in the connection string (also not recommended):

TrustServerCertificate=True

SQL Server will create a self-signed certificate if you don't install one for it to use, but it won't be trusted by the caller since it's not CA-signed, unless you tell the connection string to trust any server cert by default.

Long term, I'd recommend leveraging Let's Encrypt to get a CA-signed certificate from a known trusted CA for free, and install it on the VM. Don't forget to set it up to automatically refresh. You can read more on this topic in SQL Server books online under the topic of "Encryption Hierarchy", and "Using Encryption Without Validation".

Answer 15

In simple this is enough,if you are running locally

"ConnectionString": "Data Source=(local);Initial Catalog=BlazorDashboardDb;TrustServerCertificate=True;Integrated Security=True;",

TrustServerCertificate makes SSL handling Integrated Security makes windows validation,if sql authentication the add parameter as "User ID=adminUsername;Password=adminSecretPasswordwhatever"

TO cover all sceanrio then below helps "Data Source=(local);Initial Catalog=BlazorDashboardDb;TrustServerCertificate=True;Trusted_Connection=True;Integrated Security=True;MultipleActiveResultSets=true;Encrypt=True;"

Trusted_Connection is for trusting the mode of connection Encrypt is for crednetials

Connecting to server(az-sql) ex: "Server=tcp:firstserver.database.windows.net,1433;Initial Catalog=First;Persist Security Info=False;User ID=adminUsername;Password=adminSecretPasswordwhatever;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;"

Answer 16

When you are using SqlPackage.exe, the Encrypt=False in your connectionstring is ignored.

Add /TargetTrustServerCertificate:true to the SqlPackage command to fix this issue.

Answer 17

PM> Scaffold-DbContext "Server=localhost;Database=BookStoresDB;Trusted_Connection=True;TrustServerCertificate=True" Microsoft.EntityFrameworkCore.SqlServer -OutputDir Models

Using "TrustServerCertificate=True" solved Error "A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)"

Answer 18

Alternatively, create a Service Master Key (SMK) based on an exported server certficate from your MMC console - export as a pfx with a password. Using that certificate, engage in the following steps

CREATE MASTER KEY ENCRYPTION BY PASSWORD='Password1234!@#$'

From you exported certificate, run the batch file

@echo off 
echo Create a new password at the pop-up. 
echo This is NOT the same as the one you provided above. 
echo You'll be asked to create, confirm and re-enter the password (total 3 times) 
echo Creating Certificate (CER) and Key (PVK). 
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\x64\makecert.exe" -sv %1.pvk -n "CN=%2" %1.cer 
echo On prompt, again (4th and last time) provide the password you just created. 
echo Merging the two files into a PFX now. 
"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\pvk2pfx.exe" -pvk %1.pvk -spc %1.cer -pfx %1.pfx -po %3

CREATE YOUR ASSYMETRIC KEY

CREATE CERTIFICATE MYDB_ASYMMETRIC_CA_KEY  FROM FILE='C:\MYDB_ASSYMETRIC_CA_KEY.cer'
  WITH PRIVATE KEY(FILE='C:\ MYDB_ASSYMETRIC_CA_KEY.pvk'
  DECRYPTION BY PASSWORD='Password1234!@#$'); 

For redundancy, check that your master key is in place... it is a must

ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD='Password1234!@#$'

NOW CREATE THE ACTUAL KEY

CREATE CERTIFICATE MYDB_ASYMMETRIC_CA_KEY FROM FILE='c:\MYDB_ASYMMETRIC_CA_KEY.cer' 
WITH PRIVATE KEY (FILE='C:\MYDB_ASYMMETRIC_CA_KEY.pvk',
DECRYPTION BY PASSWORD='Password1234!@#$');

ALWAYS ALWAYS Backup your certificate in the event you need to move to another server. You'll need it to decrypt your backup files

BACKUP CERTIFICATE MYDB_ASYMMETRIC_CA_KEY TO FILE='MYDB_ASYMMETRIC_CA_KEY_BACKUP.bkp' 
WITH PRIVATE KEY(FILE='MYDB_ASYMMETRIC_CA_KEY_BACKUP.bkp',
ENCRYPTION BY PASSWORD='Password1234!@#$'); 

CREATE Database Level Encryption to wrangle in your certificate

CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM=AES_256
ENCRYPTION BY SERVER CERTIFICATE MYDB_ASYMMETRIC_CA_KEY

Check the steps above before going to the next step as from here on in, your database will be encrypted with an Assymentric Key - if you haven't backed it up (the key) and you try to restore from another server, it won't be possible without all the above steps in place.

On another database - for example a Staging Database - Restore the Master key from the certificate.

You have your Service Master Key in place, to encrypt the database, you need to encrypt the Database Master Key as this allows the export of the database to another server using the certificate you've created above.

TESTING THE Certificate by importing to another server

RESTORE MASTER KEY FROM FILE='C:\ MYDB_ASSYMETRIC_CA_KEY_BACKUP'
 DECRYPTION BY PASSWORD='Password1234!@#$', ENCRYPTION BY PASSWORD='Password1234!@#$'
 ,[FORCE]

Check to see if the Content exists on the alternate server (this will work on the primary as well)

USE [AUTHORIZATION]; 
 IF NOT EXISTS ( SELECT
 1
 FROM
 sys.dm_database_encryption_keys
 WHERE
 DB_NAME(database_id) = DB_NAME() )
 SELECT
 DB_NAME() AS [Database Name]
 ,'No database encryption key present, no encryption' AS [Encryption
 State] 
 ELSE
 SELECT
 DB_NAME(database_id) AS [Database Name]
 ,CASE encryption_state
 WHEN 0 THEN 'No database encryption key present, no encryption'
 WHEN 1 THEN 'Unencrypted'
 WHEN 2 THEN 'Encryption in progress'
 WHEN 3 THEN 'Encrypted'
 WHEN 4 THEN 'Key change in progress'
 WHEN 5 THEN 'Decryption in progress'
 WHEN 6 THEN 'Protection change in progress'
 END AS [Encryption State]
 FROM
 sys.dm_database_encryption_keys
 WHERE
 DB_NAME(database_id) = DB_NAME(); 

Answer 19

Add Encrypt=False to your connection string and that's it

Answer 20

In my case, it wasn't enough to extend the connection string by
Encrypt=false;TrustServerCertificate=true;

I still had to type in the NuGet console:

update-database -verbose

Answer 21

If you use EF Core 7 there is a breaking change that explained in the official Microsoft doc https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes#encrypt-defaults-to-true-for-sql-server-connections

Answer 22

Short notice. If you're using AWS RDS you can get the certificates from truststore.pki.rds.amazonaws.com. Details with particular links can be found in this documentation: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html.

Simply download the appropriate certificate and install it on your host.

Answer 23

I added this 2 lines to the ConnectionString and it worked

Trusted_Connection=True
TrustServerCertificate=True

Answer 24

I was getting this message in Entity Framework migrations. I was able to connect with Win Auth to the Sql Server and create table manually. But EF wouldn't work. This connection string finally worked

Server=MyServerName;Database=MyDbName;Trusted_Connection=SSPI;Encrypt=false;TrustServerCertificate=true

Answer 25

I had the same issue after migrating a project from .NET 5 to .NET 6. I have tried suggested solutions (either TrustServerCertificate=True or Encrypt=False) and they worked as expected but I had a limitation to not change connection string. So if that is the case, you can still use System.Data.SqlClient as a nuget package. Like explained here it is still maintained but all the new stuff will go to Microsoft.Data.SqlClient.

Answer 26

If you are using any connection attributes mentioned in the answers, the values accepted are yes/no , if true/false doesn't seem to work.

TrustServerCertificate - Accepts the strings "yes" and "no" as values. The default value is "no", which means that the server certificate will be validated.

Using ODBC 18.0 - hope it helps.

Connection String Attributes

Answer 27

If you have created an ODBC connection to the server (using ODBC Driver 18 for SQL server) in ODBC settings (32 or 64), configure the connection and press Next 3 times. In the final screen, there is a "Trust server certificate" checkbox in the middle. Set it to checked. That will do the trick. Adding "TrustServerCertificate=True" to the connectionstring as suggested in other answers did not work for me.

Answer 28

If you use Version 18 and access via pyodbc, it is "TrustServerCertificate=yes", you need to add to the connection

Answer 29

Well in my case the Database was bad. When I re created a new database name the error got resolved. It's an error coming from SQL Server database. Try re creating a new database.

Answer 30

Got hit by the same issue while accessing SQLServer from IIS. Adding TrustServerCertificate=True did not help.

Could see a comment in MS docs: Make sure the SQLServer service account has access to the TLS Certificate you are using. (NT Service\MSSQLSERVER)

Open personal store and right click on the certificate -> manage private keys -> Add the SQL service account and give full control.

Restart the SQL service. It worked.