Full error I am getting is:
SQLSTATE[08001]: [Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:unable to get local issuer certificate] (SQL: SHOW TABLES) (View: /var/www/html/uvk/resources/views/index.blade.php)
I do have an SSL certificate and can connect through HTTPs
Your web server's SSL/TLS certificate has nothing to do with the error message, it's referring to the certificate used by the SQL Server service.
Please refer to ODBC Driver 18.0 for SQL Server Released which mentions:
Changes
BREAKING CHANGE - Default Encrypt to Yes/Mandatory.
ODBC Driver 18 for SQL Server and JDBC Driver 10.2 for SQL Server both default to the Encrypt=yes; connection string option with the goal of improving data security for SQL Server users and developers. Unfortunately, by default, SQL Server instances are installed with self-signed X.509 certificate that are not trusted by any CAs (Certificate Authorities) so most people upgrading to these versions of the drivers are receiving errors similar to yours.
You have three options here:
Export the public key portion of the target SQL Server's certificate to a .crt file and import it into the trusted certificate stores of the users that need to connect to it, or
Add TrustServerCertificate=true; (or TrustServerCertificate=yes;, depending on your programming language) to your connection string, so that the server's certificate is accepted without error and allows secure, encrypted connections, or
Add Encrypt=false; (or Encrypt=no;, depending on your programming language) to your connection string. This is the least desirable option as it prevents the connection from being encrypted, meaning that the traffic between your SQL Server and the client can be intercepted and inspected with ease.
I want to add a database (Microsoft SQL) to the website I'm working on, using Cold Fusion Administrator (latest version).
After entering all needed data, I got the issue:
Connection verification failed for data source: dbKantine
java.sql.SQLException: The sqlserver package is not installed. You can install the package through the CLI package manager (C:/Users/MYNAME/.CommandBox/server/C1EA019F5A81794693D0EA837C1622B4-PROJECTNAME/adobe-2021.0.2.328618/WEB-INF/cfusion/bin/cfpm.bat) by running the command : install sqlserver.
I tried to execute the *.bat file mentioned, but nothing happened.
I also tried install sqlserver in the CommandBox, but it says:
Error getting ForgeBox entry [sqlserver]
The entry slug sent is invalid or does not exist
EDIT:
I got it installed using cfpm.sh and wrote there "install sqlserver".
But now it tells me this inside of Cold Fusion Administrator:
Connection verification failed for data source: MYDB
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.
EDIT 2:
I setup everything again with ColdFusion 2018 (as I'm learning CF 2018 currently).
Now I get the issue:
Connection verification failed for data source: MYDB
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer
JDBC Driver]The SQL Server login requires an SSL connection. The root
cause was that: java.sql.SQLNonTransientConnectionException:
[Macromedia][SQLServer JDBC Driver]The SQL Server login requires an
SSL connection.
What I tried:
I created a *.keystore file and a *.cer file.
I followed this (https://usermanual.wiki/adobe/CF11Configen.762142204/html#pf2f) instruction and tried to add the keystore file to the CF Administrator:
According to Data Source Management for ColdFusion > Enabling SSL Connection what you need is a truststore. The JVM used by ColdFusion already has a default truststore configured, typically jre\lib\security\cacerts, so no need to create one. Though depending on the server certificate, it may need to be imported into the truststore. The "Enable RMI Over SSL For Data Management" setting isn't relevant. It's for Flex Integration, not datasources.
Do the following to enable SSL connection:
In the ColdFusion Administrator, go to Data & Services > Data Sources.
Select the data source to enable SSL Connection.
In the data source page, click Show Advanced Settings.
In the Connection String text box, specify the connection properties as per the SSL requirements.
The relevant SQL Server SSL connection settings are:
EncryptionMethod - Values are noEncryption and SSL
TrustStore - The (full path) of the truststore file
TrustStorePassword - The password to access the truststore file
ValidateServerCertificate - Determines whether the driver validates the certificate sent by the database, true or false.
server
HostNameInCertificate - Host name for certificate validation. (Either a literal string "host_name" or #SERVERNAME#)
Sample connection string to enable SSL and validate the server certificate:
EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=YourServerName;TrustStore=C:\commandbox\openjdk11\jre\lib\security\cacerts;TrustStorePassword=ThePassword
Sample connection string to enable SSL without validating the server certificate:
EncryptionMethod=SSL;ValidateServerCertificate=false;TrustStore=C:\commandbox\openjdk11\jre\lib\security\cacerts;TrustStorePassword=ThePassword
Sql Server: Sql Server Express 2014
OS: Window 10
IIS: 10.0
I am not able to get the option of "microsoft rsa channel cryptographic provider" during the creation of certification on Computer I am getting the option "microsoft rsa Schannel cryptographic provider".
I want secure connection to sql server so I created the Certificate Using "MMC.exe"
Install the SQL Server certificate using Microsoft Management ConsoleCreate certificate.
Configuring SQL Server to accept encrypted connections
by fallow this steps Link
After Step Two I Restart the Server And Got error
The Request fails or the service did not respond in a timely fashion.
Consult the event log or other application error log for details
then after looking log i got the issue
Unable to load user-specified certificate [Cert Hash(sha1)
"AB61993A9D9C5AF442F47053E36F169EB6058E20"]. The server will not
accept a connection. You should verify that the certificate is
correctly installed. See "Configuring Certificate for Use by SSL" in
Books Online.
from more investigation i got this link which is link to my issue support microsoft
it is giving solution
To work around this problem, use any of the following methods:
Do not specify any certificate. Therefore, SQL Server generates a
self-signed certificate. To do this, leave the Certificate box blank
in SQL Server Configuration Manager.
Use a certificate that uses the "Microsoft RSA Channel Cryptographic
Provider" cryptographic service provider for the SQL Server
certificate.
By running the certutil -v -store my. it show that microsoft rsa schannel cryptographic
Step one is working for me now step two i want to install the certificate i try to check the change the microsoft rsa Schannel cryptographic to microsoft rsa channel cryptographic but during the Flow I am not able to see the microsoft rsa channel cryptographic provider.
I am trying to configure SQL Server 2014 so that I can connect to it remotely using SSL. A valid, wildcard cert is installed on the server, and the cert's domain name (example.com) matches the server's FQDN (test.windows-server-test.example.com).
The problem is that in SQL Server Configuration Manager, the certificate is not listed, so I cannot select it.
That is, I am stuck on step 2.e.2 from this MS tutorial.
After communication in comments I can suppose that your main problem is the CN part of the certificate which you use. To have successful TLS communication for IIS Server one have no such strong restrictions like SQL Server has.
Microsoft require (see here) that The name of the certificate must be the fully qualified domain name (FQDN) of the computer. It means that the Subject part of the certificate looks like CN = test.widows-server-test.example.com, where test.widows-server-test.example.com is the FQDN of your computer. It's not enough that you use for example CN = *.example.com and Subject Alternative Name, which contains DNS Name=*.example.com and DNS Name=test.widows-server-test.example.com, DNS Name=test1.widows-server-test.example.com, DNS Name=test.widows-server-test2.example.com and so on. Such certificate will be OK for TLS, but SQL Server will discard it. See the article, which describes close problems.
I recommend you to create self-signed certificate with CN equal to FQDN of the SQL Server and to verify that the certificate will be seen by SQL Server Configuration Manager.
UPDATED: I analysed the problem a little more with respect of Process Monitor and found out that two values in Registry are important for SQL Server Configuration Manager: the values Hostname and Domain under the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
If I change Domain and Hostname to the values which corresponds CN of the certificate then the certificate will be already displayed in the SQL Server Configuration Manager. It could be not all problems, but it shows that SQL Server required much more as a web server (IIS for example).
UPDATED 2: I examined the problem once more in details and I think I did found the way how one can configure common SSL certificate which you already have (for example free SSL certificated from Let's Encrypt, StartSSL or some other).
It's important to distinguished what do SQL Server Configuration Manager from the configuration required by SQL Server. The Certificate tab of the properties of the Configuration Manager have more hard restrictions as SQL Server. I describe above only the restrictions of SQL Server Configuration Manager, but one can make configuration directly in the Registry to use more common SSL/TLS Certificate by SQL Server. I describe below how one can do this.
What one need to do one can in the Registry under the key like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\MSSQLServer\SuperSocketNetLib, where the part MSSQL12.SQL2014 can be a little different in your case. The SQL Server Configuration Manager help us to set two values in the registry: ForceEncryption and Certificate:
The Certificate value is SHA1 hash which can be found by examining the properties of the certificate:
or extended properties of the certificate, which you see by usage certutil.exe -store My:
One need just copy the "Cert Hash(sha1)" value, remove all spaces and to place as the value of Certificate value in the Registry. After making the settings and restarting SQL Server windows service one will see in file ERRORLOG in C:\Program Files\Microsoft SQL Server\...\MSSQL\Log directory the line like
2016-04-25 21:44:25.89 Server The certificate [Cert Hash(sha1)
"C261A7C38759A5AD96AC258B62A308A26DB525AA"] was successfully loaded
for encryption.
I want to add this for future folks that may stumble on a similar issue I encountered with SQL 2016 SP2 and failover cluster. The certificate thumbprint added to the registry had to be all upper case.
Hope this helps the next guy.
Once I followed steps in Updated 2 section of accepted answer, I can't start the SQL Server service, got those errors in Event Viewer:
Unable to load user-specified certificate [Cert Hash(sha1) "thumbprint of certificate"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
got error in SQL Server error log:
The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.
googled it and found out a solution:
Make sure the windows account running SQL Server service (NT Service\MSSQLServer in my case) has full permissions to the following folders/register entry:
C:\Program Files\Microsoft SQL Server[Your Sql Server Instance]\MSSQL\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters
I checked No.1 NT Service\MSSQLSERVER has already had the permission.
I checked No.2, NT Service\MSSQLSERVER has no permission and I added the permission. It popped up an error saying one of files in that folder was denied the operation, but I just ignored it (nothing else I can do)
I didn't check No.3 and tried starting SQL Server, it worked!!
I faced similar issue in SSRS, wherein certificate issued by microsoft active directory CA was not visible in the dropdown in SSRS. After lot of searches, trial and error I could fix it by following this link.
https://learn.microsoft.com/en-us/archive/blogs/sqlserverfaq/can-tls-certificate-be-used-for-sql-server-encryption-on-the-wire
Brief of it is as below:
The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer.
So in our case we suggested to request the Certificate Authority to change the Subject name to ABC-SQLServer.abc.local (FQDN of SQL Server) instead of abc-corp.abc.com
Once this change was done, we loaded certificate again in MMC and now we could see the certificate loaded in SQL Server Configuration Manager!
Hope it helps someone facing same issue!
I was still having problems even after following the above. This is my fix:
in the certificates mmc right click the certificate All tasks->Manage Pricate Keys. Give the service account full control. In my case I am using NT Service\MSSQL$
SQL Server 2019
I found that the certificate thumbprint had to be entered into the certificate registry key in lower case for Configuration Manager to see it.
SQL Server will read the registry value and use it whether the registry key is in upper or lower case.
But configuration Manager will only display it if it is in lower case
I logged on to the server with SQL Server domain account( had to add the account to local admins temporarily) and imported the certificate in personal folder of the SQL Server service account. rebooted the server, and then SQL Server could see the certificate. Hope it helps someone.
An additional failure mode is key length - SQL requires a minimum keylength of 2048. With DH channel disabled.
I have also run into an issue copying out of the MMC as detailed in the article here. Using the certutil and copying that into the registry value worked perfectly.
My problem was that the Certificate Store was for WebHosting, but to see the certificate in SSRS it must be Personal.
USE UPPER CASE for Certificate in Registry editor LOL
Still not shown in config manager but TLS is working for SQL connections.
Using information from some consultants about 2 years ago we set up a SQL Server 2012 box to always have an encrypted connection (at least we thought so). A week ago the SSL certificate expired and everything continues to work fine which is puzzling.
We forced encryption by doing the following:
Obtain an SSL certificate and install it on the SQL Server via MMC. Explicit instructions for this step are here.
Open SQL Server Configuration Manger and expand the SQL Server Network Configuration node in the left pane.
Right click Protocols for MSSQLServer and choose properties.
Go to Certificate tab and choose the installed SSL cert from the drop down.
Go to the Flags tab and set force encryption to Yes.
Now, since the SSL cert expired, there is no longer any cert selected in the drop down when I visit step 3 above. However, I put WireShark on the DB server and use SSMS to request some data. The TDS (Tabular Data Stream) packets are still encrypted? When I put WireShark on a different DB Server I set ForceEncryption to NO, those TDS packets are not encrypted as expected.
So my questions are:
How are the TDS packets still encrypted if the cert is expired?
Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
1)How are the TDS packets still encrypted if the cert is expired?
you don't need a valid certificate in order to encrypt, you can still encrypt using an expired certificate.
2)Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
Do not enable the Force Protocol Encryption option on both the client and the server,
if you enabled force encryption on SQL server you don't need to do it on any client-side
3)If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
To enable SSL you need the certificate to be installed on SQL server so in order to access the DBusing SSL you are doing the same job.
Thank you