Skip to content

Commit 9ab09e2

Browse files
haywoodsloanhaywoodsloan
committed
initial update
1 parent 5444080 commit 9ab09e2

1 file changed

Lines changed: 33 additions & 21 deletions

File tree

support/sql/database-engine/connect/certificate-chain-not-trusted.md

Lines changed: 33 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,68 +1,80 @@
11
---
2-
title: The certificate chain was issued by an authority that isn't trusted
3-
description: This article provides resolutions for the error that occurs when you upgrade SNAC applications.
2+
title: Certificate Chain Not Trusted After Driver Upgrade
3+
description: Troubleshoot and fix "The certificate chain was issued by an authority that is not trusted" errors after upgrading to OLE DB or ODBC drivers for SQL Server.
44
ms.date: 01/10/2025
5-
ms.reviewer: v-jayaramanp, jopilov
5+
ms.reviewer: v-jayaramanp, jopilov, v-shaywood
66
ms.custom: sap:Database Connectivity and Authentication
77
---
88

99
# "The certificate chain was issued by an authority that is not trusted" error after upgrading SNAC applications
1010

11-
Support for the SQL Server Native Client 11.0 (SNAC) as a driver for database applications ended on July 12, 2022. Any applications that use the SNAC 11.0 must be updated to use newer versions of the drivers (see [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server) and [Download Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/download-oledb-driver-for-sql-server)). This article describes an issue that occurs when you upgrade your SNAC 11.0 application to use either Microsoft OLE DB Driver 19 for SQL Server or Microsoft ODBC Driver 18.*x* for SQL Server.
11+
## Summary
12+
13+
This article helps you troubleshoot certificate chain trust errors that occur when you upgrade database applications from SQL Server Native Client 11.0 (SNAC) to Microsoft OLE DB Driver 19 or Microsoft ODBC Driver 18 for SQL Server.
14+
15+
When you upgrade from SNAC 11.0 to newer drivers, your applications might fail to connect to SQL Server with certificate chain trust errors. This issue occurs because the newer drivers enable encryption by default and require certification validation, while SNAC disabled it by default. This article explains why these errors occur and provides workarounds to resolve them.
1216

1317
## [Upgraded to Microsoft OLE DB Driver 19 for SQL Server](#tab/ole-db-driver-19)
1418

15-
If you recently upgraded your SQL Server Native Client 11.0 (Provider=SQLNCLI11) application to use Microsoft OLE DB Driver 19 for SQL Server (Provider=MSOLEDBSQL19), you might receive error messages that resemble the following messages:
19+
After you upgrade from SQL Server Native Client 11.0 (Provider=SQLNCLI11) to Microsoft OLE DB Driver 19 for SQL Server, connection attempts might fail with the following error:
1620

1721
> [Microsoft OLE DB Driver 19 for SQL Server]: Client unable to establish connection
1822
1923
> [Microsoft OLE DB Driver 19 for SQL Server]: SSL Provider: The certificate chain was issued by an authority that is not trusted.
2024
21-
### Cause of Certificate Chain Trust Error in SNAC applications
25+
### Cause of certificate chain trust error when upgrading to Microsoft OLE DB Driver 19
26+
27+
This error indicates that the client computer is unable to verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that is not trusted by the client.
2228

2329
These errors occur if both the following conditions are true:
2430

2531
- The **Force encryption** setting for the SQL Server instance is set to **No**.
2632

27-
- The client connection string doesn't explicitly specify a value for encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN.
33+
- The client connection string doesn't explicitly specify a value for the encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN.
2834

29-
The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers are designed to assume that data encryption is **OFF** by default. The new drivers assume this setting to be **ON** by default. Because data encryption is set to **ON**, the driver tries to validate the server's certificate and fails.
35+
The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers assume that data encryption is **OFF** by default. The new drivers assume this setting is **ON** by default. Because data encryption is **ON**, the driver tries to validate the server's certificate and fails.
3036

31-
### Solutions for Certificate Chain Trust Error in SNAC applications
37+
### Solutions for certificate chain trust error when upgrading to Microsoft OLE DB Driver 19
3238

3339
- **Solution 1:** Use Microsoft OLE DB Driver for SQL Server 18.x. You can download the driver from [Release notes for the Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server).
3440

35-
- **Solution 2:** If the application connection string property already specifies a value of **Yes** or **Mandatory** for the **Encrypt/Use Encryption for Data setting**, change the value to **No** or **Optional**. For example, **Use Encryption for Data=Optional**. If the connection string doesn't specify any value for **Encrypt/Use Encryption for Data**, add **Use Encryption for Data=Optional** to the connection string. For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation).
41+
- **Solution 2:**
42+
- If the application connection string property already specifies a value of **Yes** or **Mandatory** for the **Encrypt/Use Encryption for Data** setting, change the value to **No** or **Optional**. For example, **Use Encryption for Data=Optional**.
43+
- If the connection string doesn't specify any value for **Encrypt/Use Encryption for Data**, add **Use Encryption for Data=Optional** to the connection string. For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation).
3644

37-
- **Solution 3:** Add `;TrustServerCertificate=true` to the connection string. This will force the client to trust the certificate without validation.
45+
- **Solution 3:** Add `;TrustServerCertificate=true` to the SQL Server connection string. This change tells the client to trust the certificate without validation.
3846

39-
- > [!NOTE]
40-
> Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If linked servers are required, use the existing supported version of MSOLEDBSQL.
41-
47+
> [!NOTE]
48+
> Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If you need linked servers, use the existing supported version of MSOLEDBSQL.
4249
4350
## [Upgraded to Microsoft ODBC Driver 18.*x* for SQL Server](#tab/odbc-driver-18x)
4451

45-
If you recently upgraded your SQL Server Native Client 11.0 (Driver={SQL Server Native Client 11.0}) application to Microsoft ODBC Driver 18 for SQL Server (Driver={ODBC Driver 18 for SQL Server}), you might receive error messages that resemble the following messages:
52+
After you upgrade from SQL Server Native Client 11.0 (Driver={SQL Server Native Client 11.0}) to Microsoft ODBC Driver 18 for SQL Server (Driver={ODBC Driver 18 for SQL Server}), connection attempts might fail with the following error message:
4653

4754
> [Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The certificate chain was issued by an authority that is not trusted.
4855
4956
> [Microsoft][ODBC Driver 18 for SQL Server]Client unable to establish connection
5057
51-
### Cause of Certificate Chain Trust Error in SNAC applications
58+
### Cause of certificate chain trust error when upgrading to Microsoft ODBC Driver 18
59+
60+
This error indicates that the client computer is unable to verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that is not trusted by the client.
5261

5362
These errors occur if both the following conditions are true:
5463

5564
- The **Force encryption** setting for the SQL Server instance is set to **No**.
5665

57-
- The client connection string doesn't explicitly specify a value for encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN.
66+
- The client connection string doesn't explicitly specify a value for the encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN.
5867

59-
The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers are designed to assume that data encryption is **OFF** by default. The new drivers assume this setting to be **ON** by default. Because data encryption is set to **ON**, the driver tries to validate the server's certificate and fails.
68+
The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers assume that data encryption is **OFF** by default. The new drivers assume this setting is **ON** by default. Because data encryption is **ON**, the driver tries to validate the server's certificate and fails.
6069

61-
### Solutions for Certificate Chain Trust Error in SNAC applications
70+
### Solutions for certificate chain trust error when upgrading to Microsoft ODBC Driver 18
6271

6372
- **Solution 1:** Use the Microsoft ODBC Driver 17 for SQL Server. You can download the driver from [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server).
6473

65-
- **Solution 2:** If the application connection string property already specifies a value of **Yes** or **Mandatory for Encrypt** setting, change the value to **No** or **Optional**. If the value isn't already specified, add `Encrypt = Optional;`. If you're using a DSN, change the encryption setting from **Mandatory** to **Optional**. For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute).
74+
- **Solution 2:**
75+
- If the application connection string property already specifies a value of **Yes** or **Mandatory** for **Encrypt**, change the value to **No** or **Optional**.
76+
- If the value isn't already specified, add `Encrypt = Optional;.
77+
- If you're using a DSN, change the encryption setting from **Mandatory** to **Optional**. For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute).
6678

6779
---
6880

@@ -74,4 +86,4 @@ The error occurs because of a change in the default behavior of the client drive
7486

7587
- [Support Policies for SQL Server Native Client](/sql/relational-databases/native-client/applications/support-policies-for-sql-server-native-client)
7688

77-
- [SNAC lifecycle explained](https://techcommunity.microsoft.com/t5/sql-server-blog/snac-lifecycle-explained/ba-p/385381)
89+
- [SNAC lifecycle explained](https://techcommunity.microsoft.com/t5/sql-server-blog/snac-lifecycle-explained/ba-p/385381)

0 commit comments

Comments
 (0)