search

microsoft / mssql-docker

Official Microsoft repository for SQL Server in Docker resources
MIT License
1.72k stars 757 forks source link

SQL Server on Linux does not present/load intermediate certificates #673

Open DennisGlindhart opened 3 years ago

DennisGlindhart commented 3 years ago

This is probably not Docker-specific, but don't know where else to put my findings. Spend a fair amount of time diving through .NET runtime assemblies to debug this, so if anyone can use this info, then it is not lost :)

[network]
tlscert = /var/opt/mssql/tls/server.crt
tlskey = /var/opt/mssql/tls/server.key
forceencryption = 1

server.crt contains PEM host-certificate + intermediate

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Client (both Linux and Windows) trusts Root CA (which has signed the intermediate). When trying to connect with SqlConnection in .NET or Azure Data Studio the error: "The remote certificate is invalid according to the validation procedure." is presented. The reason seems to be that the server only sends the host-certificate (Notice only one element in chainElements in the left) ![image](https://user-images.githubusercontent.com/2487368/105379297-faadf700-5c0c-11eb-81ad-ec0611edd8a8.png) When connecting to a Windows-hosted SQL-Server it works and looks like this ![image](https://user-images.githubusercontent.com/2487368/105379545-3779ee00-5c0d-11eb-92a3-72aaf2a2c46a.png) Without the imediate certificate present, the client cannot validate the path to the Root
marcokrikke commented 7 months ago

@DennisGlindhart did you ever manage to find a solution to this problem? I've just run into the exact same problem with a similar set-up (SQL Server 2022 on Docker).

DennisGlindhart commented 7 months ago

@DennisGlindhart did you ever manage to find a solution to this problem? I've just run into the exact same problem with a similar set-up (SQL Server 2022 on Docker).

Nope - Not really.

A "workaround" that might work in certain scenarios is also including the Intermediate certificate in the Root/Trusted store on all clients, but well.. That kinda defeats the purpose behind intermediates. But might work depending on how much control you have over the clients and why you were using intermediates in the first place.

marcokrikke commented 7 months ago

@DennisGlindhart thanks Dennis. For future reference, I can confirm the issue exists with the Linux version of MSSQL, both in the Docker version and the "plain" version. MSSQL on Windows serves the intermediate certificate just fine.

image