SSL certificate error connecting to SQL Server after applying entitlement CA cert

System

This discussion was created from comments split from: ⚠️ licensing certificates issue

JuanBA281087

Hi Team, after applying the certificate change we are now facing the error below:

Connection Failed

com.experian.aperturedatastudio.jdbc,sqlserver.base.fu[ApertureDataStudio][SQL Server JDBC]SSL handshake for http://p-sql-cc-bi-01:1436/ failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilder.Exception> unable to find valid certification path to requested target

For this machine we have applied a certificate shared on Experian NOC Teams chat. Customer have another machine with the same issue and we have applied the steps using the keytool and this new issue is not reproducible.

My question is if this new issue is possible caused by the certificate file we installed first and we need to apply it again?

Henry Simms

Hi @JuanBA281087 - This error means that Data Studio no longer trusts the SQL Server instance that Data Studio is trying to connect to. My guess would be that the JDBC connection is configured to validate the SQL Server's certificate, and it's not in the Java truststore (cacerts) used by Data Studio.

Assuming this was working before the change to add the entitlement service cert was applied, it suggests that either:

• A different cacerts is now being used (eg Aperture Data Studio Service 64bit.ini was updated), or
• Somehow, the SQL Server's root CA is no longer in cacerts (possibly it was overwritten if a new public certificate was uploaded with the same alias)

Adding a new certificate to cacerts should never result in a certificate being removed. I would suggest closely reviewing the steps that were followed to apply the entitlement certificate.

You could also temporarily update the JDBC connection to use the parameter ValidateServerCertificate=falseso that there will be no validation on the SQL Server's certificate, as documented here, to test if that works.