|
1 | 1 | --- |
2 | | -title: The certificate chain was issued by an authority that isn't trusted |
3 | | -description: This article provides resolutions for the error that occurs when you upgrade SNAC applications. |
| 2 | +title: Certificate Chain Not Trusted After Driver Upgrade |
| 3 | +description: Troubleshoot and fix "The certificate chain was issued by an authority that is not trusted" errors after upgrading to OLE DB or ODBC drivers for SQL Server. |
4 | 4 | ms.date: 01/10/2025 |
5 | | -ms.reviewer: v-jayaramanp, jopilov |
| 5 | +ms.reviewer: v-jayaramanp, jopilov, v-shaywood |
6 | 6 | ms.custom: sap:Database Connectivity and Authentication |
7 | 7 | --- |
8 | 8 |
|
9 | 9 | # "The certificate chain was issued by an authority that is not trusted" error after upgrading SNAC applications |
10 | 10 |
|
11 | | -Support for the SQL Server Native Client 11.0 (SNAC) as a driver for database applications ended on July 12, 2022. Any applications that use the SNAC 11.0 must be updated to use newer versions of the drivers (see [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server) and [Download Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/download-oledb-driver-for-sql-server)). This article describes an issue that occurs when you upgrade your SNAC 11.0 application to use either Microsoft OLE DB Driver 19 for SQL Server or Microsoft ODBC Driver 18.*x* for SQL Server. |
| 11 | +## Summary |
| 12 | + |
| 13 | +This article helps you troubleshoot certificate chain trust errors that occur when you upgrade database applications from SQL Server Native Client 11.0 (SNAC) to Microsoft OLE DB Driver 19 or Microsoft ODBC Driver 18 for SQL Server. |
| 14 | + |
| 15 | +When you upgrade from SNAC 11.0 to newer drivers, your applications might fail to connect to SQL Server with certificate chain trust errors. This problem happens because the newer drivers enable [encryption](/sql/relational-databases/security/securing-sql-server#encryption-and-certificates) by default and require certificate validation, while SNAC disabled it by default. This article explains why these errors occur and provides solutions to resolve them. |
12 | 16 |
|
13 | 17 | ## [Upgraded to Microsoft OLE DB Driver 19 for SQL Server](#tab/ole-db-driver-19) |
14 | 18 |
|
15 | | -If you recently upgraded your SQL Server Native Client 11.0 (Provider=SQLNCLI11) application to use Microsoft OLE DB Driver 19 for SQL Server (Provider=MSOLEDBSQL19), you might receive error messages that resemble the following messages: |
| 19 | +After you upgrade from SQL Server Native Client 11.0 (Provider=SQLNCLI11) to Microsoft OLE DB Driver 19 for SQL Server, connection attempts might fail with the following error message: |
16 | 20 |
|
17 | 21 | > [Microsoft OLE DB Driver 19 for SQL Server]: Client unable to establish connection |
18 | 22 |
|
19 | 23 | > [Microsoft OLE DB Driver 19 for SQL Server]: SSL Provider: The certificate chain was issued by an authority that is not trusted. |
20 | 24 |
|
21 | | -### Cause of Certificate Chain Trust Error in SNAC applications |
| 25 | +### Cause of certificate chain trust error when upgrading to Microsoft OLE DB Driver 19 |
22 | 26 |
|
23 | | -These errors occur if both the following conditions are true: |
| 27 | +This error indicates that the client computer can't verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that the client doesn't trust. |
| 28 | + |
| 29 | +These errors occur if both of the following conditions are true: |
24 | 30 |
|
25 | 31 | - The **Force encryption** setting for the SQL Server instance is set to **No**. |
26 | 32 |
|
27 | | -- The client connection string doesn't explicitly specify a value for encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN. |
| 33 | +- The client connection string doesn't explicitly specify a value for the encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN. |
| 34 | + |
| 35 | +The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers assume that data encryption is **OFF** by default. The new drivers assume this setting is **ON** by default. Because data encryption is **ON**, the driver tries to validate the server's certificate and fails. |
| 36 | + |
| 37 | +### Solutions for certificate chain trust error when upgrading to Microsoft OLE DB Driver 19 |
| 38 | + |
| 39 | +#### Use OLE DB Driver 18.x |
| 40 | + |
| 41 | +Use Microsoft OLE DB Driver for SQL Server 18.x. You can download the driver from [Release notes for the Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server). |
| 42 | + |
| 43 | +#### Disable mandatory encryption for OLE DB |
28 | 44 |
|
29 | | -The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers are designed to assume that data encryption is **OFF** by default. The new drivers assume this setting to be **ON** by default. Because data encryption is set to **ON**, the driver tries to validate the server's certificate and fails. |
| 45 | +Modify the encryption settings in your connection string: |
30 | 46 |
|
31 | | -### Solutions for Certificate Chain Trust Error in SNAC applications |
| 47 | +- If the application connection string property already specifies a value of `Yes` or `Mandatory` for the `Encrypt/Use Encryption for Data` setting, change the value to `No` or `Optional`. For example, `Use Encryption for Data=Optional`. |
| 48 | +- If the connection string doesn't specify any value for `Encrypt/Use Encryption for Data`, add `Use Encryption for Data=Optional` to the connection string. |
32 | 49 |
|
33 | | -- **Solution 1:** Use Microsoft OLE DB Driver for SQL Server 18.x. You can download the driver from [Release notes for the Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server). |
| 50 | +For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation). |
34 | 51 |
|
35 | | -- **Solution 2:** If the application connection string property already specifies a value of **Yes** or **Mandatory** for the **Encrypt/Use Encryption for Data setting**, change the value to **No** or **Optional**. For example, **Use Encryption for Data=Optional**. If the connection string doesn't specify any value for **Encrypt/Use Encryption for Data**, add **Use Encryption for Data=Optional** to the connection string. For more information, see [Encryption and certificate validation](/sql/connect/oledb/features/encryption-and-certificate-validation). |
| 52 | +#### Trust the server certificate without validation |
36 | 53 |
|
37 | | -- **Solution 3:** Add `;TrustServerCertificate=true` to the connection string. This will force the client to trust the certificate without validation. |
| 54 | +Add `;TrustServerCertificate=true` to the SQL Server connection string. This setting tells the client to trust the certificate without validation. |
38 | 55 |
|
39 | | -- > [!NOTE] |
40 | | - > Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If linked servers are required, use the existing supported version of MSOLEDBSQL. |
41 | | - |
| 56 | +> [!NOTE] |
| 57 | +> Currently, MSOLEDBSQL19 prevents the creation of linked servers without encryption and a trusted certificate (a self-signed certificate is insufficient). If you need linked servers, use the existing supported version of MSOLEDBSQL. |
42 | 58 |
|
43 | 59 | ## [Upgraded to Microsoft ODBC Driver 18.*x* for SQL Server](#tab/odbc-driver-18x) |
44 | 60 |
|
45 | | -If you recently upgraded your SQL Server Native Client 11.0 (Driver={SQL Server Native Client 11.0}) application to Microsoft ODBC Driver 18 for SQL Server (Driver={ODBC Driver 18 for SQL Server}), you might receive error messages that resemble the following messages: |
| 61 | +After you upgrade from SQL Server Native Client 11.0 (Driver={SQL Server Native Client 11.0}) to Microsoft ODBC Driver 18 for SQL Server (Driver={ODBC Driver 18 for SQL Server}), connection attempts might fail with the following error message: |
46 | 62 |
|
47 | | -> [Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The certificate chain was issued by an authority that is not trusted. |
| 63 | +> \[Microsoft\]\[ODBC Driver 18 for SQL Server\]SSL Provider: The certificate chain was issued by an authority that is not trusted. |
48 | 64 |
|
49 | | -> [Microsoft][ODBC Driver 18 for SQL Server]Client unable to establish connection |
| 65 | +> \[Microsoft\]\[ODBC Driver 18 for SQL Server\]Client unable to establish connection |
50 | 66 |
|
51 | | -### Cause of Certificate Chain Trust Error in SNAC applications |
| 67 | +### Cause of certificate chain trust error when upgrading to Microsoft ODBC Driver 18 |
52 | 68 |
|
53 | | -These errors occur if both the following conditions are true: |
| 69 | +This error indicates that the client computer can't verify the authenticity of the SQL Server certificate because it was issued by a certificate authority (CA) that the client doesn't trust. |
| 70 | + |
| 71 | +These errors occur if both of the following conditions are true: |
54 | 72 |
|
55 | 73 | - The **Force encryption** setting for the SQL Server instance is set to **No**. |
56 | 74 |
|
57 | | -- The client connection string doesn't explicitly specify a value for encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN. |
| 75 | +- The client connection string doesn't explicitly specify a value for the encryption property, or the **Encryption** option wasn't explicitly set or updated in the DSN. |
58 | 76 |
|
59 | | -The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers are designed to assume that data encryption is **OFF** by default. The new drivers assume this setting to be **ON** by default. Because data encryption is set to **ON**, the driver tries to validate the server's certificate and fails. |
| 77 | +The error occurs because of a change in the default behavior of the client drivers. Older versions of client drivers assume that data encryption is **OFF** by default. The new drivers assume this setting is **ON** by default. Because data encryption is **ON**, the driver tries to validate the server's certificate and fails. |
60 | 78 |
|
61 | | -### Solutions for Certificate Chain Trust Error in SNAC applications |
| 79 | +### Solutions for certificate chain trust error when upgrading to Microsoft ODBC Driver 18 |
62 | 80 |
|
63 | | -- **Solution 1:** Use the Microsoft ODBC Driver 17 for SQL Server. You can download the driver from [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server). |
| 81 | +#### Use ODBC Driver 17 |
64 | 82 |
|
65 | | -- **Solution 2:** If the application connection string property already specifies a value of **Yes** or **Mandatory for Encrypt** setting, change the value to **No** or **Optional**. If the value isn't already specified, add `Encrypt = Optional;`. If you're using a DSN, change the encryption setting from **Mandatory** to **Optional**. For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute). |
| 83 | +Use the Microsoft ODBC Driver 17 for SQL Server. You can download the driver from [Download ODBC Driver for SQL Server](/sql/connect/odbc/download-odbc-driver-for-sql-server). |
66 | 84 |
|
67 | | ---- |
| 85 | +#### Disable mandatory encryption for ODBC |
68 | 86 |
|
69 | | -## See also |
| 87 | +Modify the encryption settings in your connection string or DSN: |
70 | 88 |
|
71 | | -- [Enable encrypted connections to the Database Engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) |
| 89 | +- If the application connection string property already specifies a value of `Yes` or `Mandatory` for `Encrypt`, change the value to `No` or `Optional`. |
| 90 | +- If the value isn't already specified, add `Encrypt=Optional;` to the connection string. |
| 91 | +- If you're using a DSN, change the encryption setting from `Mandatory` to `Optional`. |
72 | 92 |
|
73 | | -- [The certificate received from the remote server was issued by an untrusted certificate authority error when you connect to SQL Server](../connect/error-message-when-you-connect.md) |
| 93 | +For more information, see [DSN and connection string keywords and attributes](/sql/connect/odbc/dsn-connection-string-attribute). |
74 | 94 |
|
75 | | -- [Support Policies for SQL Server Native Client](/sql/relational-databases/native-client/applications/support-policies-for-sql-server-native-client) |
| 95 | +--- |
| 96 | + |
| 97 | +## Related content |
76 | 98 |
|
| 99 | +- [Enable encrypted connections to the Database Engine](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) |
| 100 | +- [The certificate received from the remote server was issued by an untrusted certificate authority error when you connect to SQL Server](error-message-when-you-connect.md) |
| 101 | +- [Certificate validation failure](certificate-validation-failure.md) |
| 102 | +- [Support Policies for SQL Server Native Client](/sql/relational-databases/native-client/applications/support-policies-for-sql-server-native-client) |
77 | 103 | - [SNAC lifecycle explained](https://techcommunity.microsoft.com/t5/sql-server-blog/snac-lifecycle-explained/ba-p/385381) |
0 commit comments