Fix SSL certificate error 1416F086 in sqlcmd on Linux

This post covers a few ways to fix the SSL certificate error 1416F086 returned by sqlcmd on Linux when connecting to SQL Server.

If you’re looking for ways to fix the Windows equivalent of this error when working with dbatools, check out this blog post.

Intro

If you’re here, you’ve most likely ran into the following error message.

The relevant portion of the error message is:

Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : SSL Provider: [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate].

Unfortunately, at the time of writing, the URL provided in the error message doesn’t really give a clear workaround for when sqlcmd throws this error, so I’ve figured a blog post about this might be helpful.

The cause

This is caused by a change in sqlcmd starting with version 18.0, that sets the default encryption mode for the connection to Mandatory.

This change coupled with the instance not having TLS configured using a CA-signed certificate results in the SSL certificate error 1416F086 being returned by sqlcmd for Linux.

The fix

The real fix is to implement TLS encryption for SQL Server with a valid certificate from a trusted Certificate Authority.

The “I don’t care, I just want it to work” fix is to either use the -C flag.
This flag tells sqlcmd to trust the server certificate, or use the -No flag which tells sqlcmd that encryption is optional.

So, In my case, the command would look like this:

Or this:

And both versions work without any issues, allowing sqlcmd to successfully connect to the instance even if it doesn’t have TLS properly configured.

Conclusion

That’s it, that’s the whole post. The fix is simple, but the error takes a lot of people by surprise.

If you work a lot with sqlcmd on Linux, you might also run into this other error.