Ssl – Schannel: Certificate received from the remote server was issued by an untrusted certificate authority

sql-server-2005sslwindows-event-logwindows-server-2008

i'm not sure whether to ask this on dba.stackexchange.com or here.

Periodically following error is logged in Windows Server 2008 Administrative events:

The certificate received from the remote server was issued by an
untrusted certificate authority. Because of this, none of the data
contained in the certificate can be validated. The SSL connection
request has failed. The attached data contains the server certificate.

Log Name: System
Source: Schannel

Followed by:

The following fatal alert was generated: 48. The internal error state
is 552.

Log Name: System
Source: Schannel

If i change the Force Encryption property in SQL-Server Configuration from "No" to "Yes"(see image below) the error would not be logged anymore.

Force Encryption

But i don't really need SSL-Encryption since all connections are trusted(from intranet) and ports 1333 and 1334 are firewalled from internet.

Would it be a performance impact if i would force encryption and generate a server certificate, is it recommended at all in my situation? I don't want to enforce encryption only to prevent from some event logs if it not even causes serious connection problems(where can i see which connection has caused it?).

Q: Can somebody please explain why these errors are raised and wherefrom?

Best Answer

You probably receive this error because a program (SQL Server in your case?) is trying to access a remote resource over an SSL connection but, the SSL certificate used by this remote resource is not trusted by your server.

To find which remote resource your server is trying to access, in Event Viewer, open the Details tab of the event (use the Friendly View). Here the EventData contains the SSL certificate received.

To understand the EventData, scroll down until you see the section In Bytes. Here on the right the Event Viewer decodes the data in text and you should be able to see among all these weird characters a URL, a userPrincipalName, or something like that.

Note: in my case (test lab), my server was trying to access something on my domain controller. Adding the certificate of my DC to the trusted root store solved the problem.

Related Solutions

Ssl – Why does Window’s SSL Cipher-Suite get restricted under certain SSL certificates

If the certificate being used on the server was generated using the Legacy Key option in the certificate request form, the private key for that certificate will be stored in Microsoft's legacy Cryptographic API framework. When the web server tries to process requests using its new, Cryptographic Next Generation (CNG) framework, it appears that something related to the RSA private key stored in the legacy framework is unavailable to the new framework. As a result, the use of the RSA cipher suites is severely limited.

Solution:
Generate the certificate request using the CNG Key template in the custom certificate request wizard.

MMC | Local Computer Certificate Manager | Personal Certificates Folder | (right click) | All Tasks -> Advanced Operations | Create Custom Request | "Proceed without enrollment policy" | select "(no template) CNG key" | proceed to complete the certificate request according to your needs.

Verifying that the key is in the right place:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx
http://www.jensign.com/KeyPal/index.html

Tools for verifying correct cipher-suites:
http://pentestit.com/2010/05/16/ssltls-audit-audit-web-servers-ssl-ciphers/
https://www.ssllabs.com/

SSL cipher-suite settings:
http://support.microsoft.com/kb/245030
http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx

This took us a week to figure out. I hope this saves someone the same trouble.

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Best Answer

Related Solutions

Ssl – Why does Window’s SSL Cipher-Suite get restricted under certain SSL certificates

SSL Error – Unable to Read Server Certificate from File

Related Topic