mssql-docker
mssql-docker copied to clipboard
microsoft
SQL Server on Linux does not present/load intermediate certificates
This is probably not Docker-specific, but don't know where else to put my findings. Spend a fair amount of time diving through .NET runtime assemblies to debug this, so if anyone can use this info, then it is not lost :)
[network]
tlscert = /var/opt/mssql/tls/server.crt
tlskey = /var/opt/mssql/tls/server.key
forceencryption = 1
server.crt contains PEM host-certificate + intermediate
-----BEGIN CERTIFICATE-----
Client (both Linux and Windows) trusts Root CA (which has signed the intermediate).
When trying to connect with SqlConnection in .NET or Azure Data Studio the error: "The remote certificate is invalid according to the validation procedure." is presented.
The reason seems to be that the server only sends the host-certificate (Notice only one element in chainElements in the left)
When connecting to a Windows-hosted SQL-Server it works and looks like this
Without the imediate certificate present, the client cannot validate the path to the Root
@DennisGlindhart did you ever manage to find a solution to this problem? I've just run into the exact same problem with a similar set-up (SQL Server 2022 on Docker).
@DennisGlindhart did you ever manage to find a solution to this problem? I've just run into the exact same problem with a similar set-up (SQL Server 2022 on Docker).
Nope - Not really.
A "workaround" that might work in certain scenarios is also including the Intermediate certificate in the Root/Trusted store on all clients, but well.. That kinda defeats the purpose behind intermediates. But might work depending on how much control you have over the clients and why you were using intermediates in the first place.
@DennisGlindhart thanks Dennis. For future reference, I can confirm the issue exists with the Linux version of MSSQL, both in the Docker version and the "plain" version. MSSQL on Windows serves the intermediate certificate just fine.