.NET8連接SQL SERVER 2008 R2 報：證書鏈是由不受信任的頒發機構頒發的

一、 .NET8連接SQL SERVER 2008 R2  報：證書鏈是由不受信任的頒發機構頒發的

報錯內容：

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - 證書鏈是由不受信任的頒發機構頒發的。)

 

解決方法：

在連接字符串裏增加：

TrustServerCertificate=true;

 

微軟給的方案：

https://learn.microsoft.com/zh-cn/troubleshoot/sql/database-engine/connect/certificate-chain-not-trusted?tabs=ole-db-driver-19

 

二、 如果報這個錯：

Connection Timeout Expired.  The timeout period elapsed during the post-login phase.  The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create multiple active connections.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=22; handshake=145; [Login] initialization=1; authentication=2; [Post-Login] complete=14006; 

 解決方法：

給SQL SERVER 2008 R2，打SP3補丁。

 

SQL SERVER 2008 R2，未打補丁版本號：

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)

 

SQL SERVER 2008 R2，打了SP3補丁版本號：

Microsoft SQL Server 2008 R2 (SP3) - 10.50.6000.34 (X64)

 

三 、 如果報這個錯：

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)

問題原因：.NET8 在docker裏，默認最低版本是TLS1.2，而SQL 2008 R2 最高支持TLS1.0。

解決方法：在docker裏，把openssl最低版本從TLS1.2 調整爲 TLS1.0。

dockerfile裏的調整命令。

# 下列配置適用於 openssl3.0 修改TLSv1.2 爲 TLSv1
# https://askubuntu.com/questions/1436476/ubuntu-22-04-sqlcmd-can-not-connect-to-ms-sql-server-2016/1445405#1445405

# openssl.cnf  ****開始****
# openssl_conf = openssl_init

# [openssl_init]
# providers = provider_sect
# ssl_conf = ssl_sect
# 
# [provider_sect]
# default = default_sect
# legacy = legacy_sect
# 
# [default_sect]
# activate = 1
# 
# [legacy_sect]
# activate = 1
# 
# [ssl_sect]
# system_default = system_default_sect
# 
# [system_default_sect]
# CipherString = DEFAULT:@SECLEVEL=0  
# openssl.cnf ****結束****

# 修改默認的 openssl.cnf 配置


RUN sed -i 's/\[openssl_init\]/# \[openssl_init\]/g' /etc/ssl/openssl.cnf
RUN sed -i '$a\[openssl_init]' /etc/ssl/openssl.cnf
RUN sed -i '$a\providers = provider_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[provider_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\default = default_sect' /etc/ssl/openssl.cnf
RUN sed -i '$a\legacy = legacy_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[legacy_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[ssl_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\system_default = system_default_sect' /etc/ssl/openssl.cnf
 
RUN sed -i '$a\[system_default_sect]' /etc/ssl/openssl.cnf
RUN sed -i '$a\CipherString = DEFAULT:@SECLEVEL=0' /etc/ssl/openssl.cnf

 

#號開頭的是註釋，可以不寫到dockerfile裏。

或者另一種寫法，實測也可以： 

RUN sed -i 's|\[openssl_init\]|&\nssl_conf = ssl_configuration\n[ssl_configuration]\nsystem_default = tls_system_default\n[tls_system_default]\nMinProtocol = TLSv1\nCipherString = DEFAULT@SECLEVEL=0|' /etc/ssl/openssl.cnf

 

這種寫法,openssl.cnf內容大致如下：

[openssl_init] 
ssl_conf = ssl_configuration
 
[ssl_configuration]
system_default = tls_system_defaul
 
[tls_system_defaul]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0  

 

 最小TLS版本設置爲1.0，DEFAULT@SECLEVEL 設置爲0.

--