一、 .NET8連接SQL SERVER 2008 R2 報:證書鏈是由不受信任的頒發機構頒發的
報錯內容:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - 證書鏈是由不受信任的頒發機構頒發的。)
解決方法:
在連接字符串裏增加:
TrustServerCertificate=true;
微軟給的方案:
https://learn.microsoft.com/zh-cn/troubleshoot/sql/database-engine/connect/certificate-chain-not-trusted?tabs=ole-db-driver-19
二、 如果報這個錯:
Connection Timeout Expired. The timeout period elapsed during the post-login phase. The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create multiple active connections. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=22; handshake=145; [Login] initialization=1; authentication=2; [Post-Login] complete=14006;
解決方法:
給SQL SERVER 2008 R2,打SP3補丁。
SQL SERVER 2008 R2,未打補丁版本號:
Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
SQL SERVER 2008 R2,打了SP3補丁版本號:
Microsoft SQL Server 2008 R2 (SP3) - 10.50.6000.34 (X64)
三 、 如果報這個錯:
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed)
問題原因:.NET8 在docker裏,默認最低版本是TLS1.2,而SQL 2008 R2 最高支持TLS1.0。
解決方法:在docker裏,把openssl最低版本從TLS1.2 調整爲 TLS1.0。
dockerfile裏的調整命令。
# 下列配置適用於 openssl3.0 修改TLSv1.2 爲 TLSv1 # https://askubuntu.com/questions/1436476/ubuntu-22-04-sqlcmd-can-not-connect-to-ms-sql-server-2016/1445405#1445405 # openssl.cnf ****開始**** # openssl_conf = openssl_init # [openssl_init] # providers = provider_sect # ssl_conf = ssl_sect # # [provider_sect] # default = default_sect # legacy = legacy_sect # # [default_sect] # activate = 1 # # [legacy_sect] # activate = 1 # # [ssl_sect] # system_default = system_default_sect # # [system_default_sect] # CipherString = DEFAULT:@SECLEVEL=0 # openssl.cnf ****結束**** # 修改默認的 openssl.cnf 配置 RUN sed -i 's/\[openssl_init\]/# \[openssl_init\]/g' /etc/ssl/openssl.cnf RUN sed -i '$a\[openssl_init]' /etc/ssl/openssl.cnf RUN sed -i '$a\providers = provider_sect' /etc/ssl/openssl.cnf RUN sed -i '$a\ssl_conf = ssl_sect' /etc/ssl/openssl.cnf RUN sed -i '$a\[provider_sect]' /etc/ssl/openssl.cnf RUN sed -i '$a\default = default_sect' /etc/ssl/openssl.cnf RUN sed -i '$a\legacy = legacy_sect' /etc/ssl/openssl.cnf RUN sed -i '$a\[default_sect]' /etc/ssl/openssl.cnf RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf RUN sed -i '$a\[legacy_sect]' /etc/ssl/openssl.cnf RUN sed -i '$a\activate = 1' /etc/ssl/openssl.cnf RUN sed -i '$a\[ssl_sect]' /etc/ssl/openssl.cnf RUN sed -i '$a\system_default = system_default_sect' /etc/ssl/openssl.cnf RUN sed -i '$a\[system_default_sect]' /etc/ssl/openssl.cnf RUN sed -i '$a\CipherString = DEFAULT:@SECLEVEL=0' /etc/ssl/openssl.cnf
#號開頭的是註釋,可以不寫到dockerfile裏。
或者另一種寫法,實測也可以:
RUN sed -i 's|\[openssl_init\]|&\nssl_conf = ssl_configuration\n[ssl_configuration]\nsystem_default = tls_system_default\n[tls_system_default]\nMinProtocol = TLSv1\nCipherString = DEFAULT@SECLEVEL=0|' /etc/ssl/openssl.cnf
這種寫法,openssl.cnf內容大致如下:
[openssl_init]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_defaul
[tls_system_defaul]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0
最小TLS版本設置爲1.0,DEFAULT@SECLEVEL 設置爲0.
--