Fix “certificate chain was issued by an authority that is not trusted” when using dbatools

by Vlad Drumea July 29, 2023

written by Vlad Drumea July 29, 2023 0 comment

This is a brief post about fixing the following error when using dbatools.

Error occurred while establishing connection to LOCALHOST\VSQL2019 | 
The certificate chain was issued by an authority that is not trusted.

1 2	Error occurred while establishing connection to LOCALHOST\VSQL2019 \| The certificate chain was issued by an authority that is not trusted.

Context

I was just trying to refresh in my environment the stored procedures from Brent Ozar’s First Responder Kit, and I figured I might as well do it the fast way, through dbatools, and got the following error.

PS C:\Users\Vlad> Install-DbaFirstResponderKit -SqlInstance LOCALHOST\VSQL2019 -Database DBATools -OnlyScript Install-Core-Blitz-With-Query-Store.sql WARNING: [21:48:15][Install-DbaFirstResponderKit] Error occurred while establishing connection to LOCALHOST\VSQL2019 | The certificate chain was issued by an authority that is not trusted. SEO certificate chain authority trusted dbatools dbatools the certificate chain was issued by an authority that is not trusted

Cause

According to the Database Connectivity and Authentication documentation, this happens because the new client drivers assume encryption to be ON by default and, as a result, the driver tries to validate the server’s certificate and fails.

Fix – for this connection only

Since in this case I don’t have encrypted connection configured for SQL Server, the solution is to just tell dbatools to trust the server’s certificate.

I create a connection to my instance using Connect-DbaInstance with the -TrustServerCertificate switch and load it into a variable that I will later pass to the Install-DbaFirstResponderKit.

$MyConnection = Connect-DbaInstance -SqlInstance LOCALHOST\VSQL2019 -TrustServerCertificate
Install-DbaFirstResponderKit -SqlInstance $MyConnection -Database DBATools `
-OnlyScript Install-Core-Blitz-With-Query-Store.sql

$MyConnection = Connect-DbaInstance -SqlInstance LOCALHOST\VSQL2019 -TrustServerCertificate

Install-DbaFirstResponderKit -SqlInstance $MyConnection -Database DBATools `

-OnlyScript Install-Core-Blitz-With-Query-Store.sql

PS C:\Users\Vlad> $MyConnection = Connect-DbaInstance -SqlInstance LOCALHOST\VSQL2019 -TrustServerCertificate PS C:\Users\Vlad> Install-DbaFirstResponderKit -SqlInstance $MyConnection -Database DBATools ` >> -OnlyScript Install-Core-Blitz-With-Query-Store.sql ComputerName : VladsPC InstanceName : VSQL2019 SqlInstance : VladsPC\VSQL2019 Database : DBATools Name : Install-Core-Blitz-With-Query-Store Status : Installed SEO certificate chain authority trusted dbatools dbatools the certificate chain was issued by an authority that is not trusted

Fix – for the current PS session

This is perfect when connecting to multiple instances that don’t use encrypted connections, but don’t want to permanently overwrite the new client defaults

For older versions of dbatools

Set-DbatoolsConfig -FullName sql.connection.trustcert -Value $true
Set-DbatoolsConfig -FullName sql.connection.encrypt -Value $false

1 2	Set-DbatoolsConfig -FullName sql.connection.trustcert -Value $true Set-DbatoolsConfig -FullName sql.connection.encrypt -Value $false

For dbatools v 2 and above

Set-DbatoolsInsecureConnection -SessionOnly

1	Set-DbatoolsInsecureConnection -SessionOnly

Fix – the permanent kind

This is perfect if your environment consists of mostly or all instances not using encrypted connections, and you’re ok with overwriting the new client defaults.

For older versions of dbatools

Set-DbatoolsConfig -FullName sql.connection.trustcert -Value $true -Register
Set-DbatoolsConfig -FullName sql.connection.encrypt -Value $false -Register

1 2	Set-DbatoolsConfig -FullName sql.connection.trustcert -Value $true -Register Set-DbatoolsConfig -FullName sql.connection.encrypt -Value $false -Register

For dbatools v 2 and above

Set-DbatoolsInsecureConnection

1	Set-DbatoolsInsecureConnection

Conclusion

That’s it, that’s the post. Not everyone has configured SQL Server for encrypted connections, and this should help avoid constantly running into those errors.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Fix “certificate chain was issued by an authority that is not trusted” when using dbatools

Context

Cause

Fix – for this connection only

Fix – for the current PS session

For older versions of dbatools

For dbatools v 2 and above

Fix – the permanent kind

For older versions of dbatools

For dbatools v 2 and above

Conclusion

Securing SQL Server’s service account

Extend the C drive and move the Recovery partition on a VM in VirtualBox

You may also like

Leave a Comment Cancel Reply