System.Data.SqlClient.SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
ID: cloud/azure-function-cold-start-sql-connection
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Azure Functions .NET 8.0 | active | — | — | — |
| SQL Server 2022 | active | — | — | — |
Root Cause
Azure Function's SQL connection string uses 'Encrypt=True' but the server's SSL certificate is not trusted by the client due to missing root CA or misconfigured trust store in the function runtime.
generic中文
Azure Function的SQL连接字符串使用'Encrypt=True',但服务器的SSL证书因缺少根CA或函数运行时中的信任存储配置错误而不受客户端信任。
Official Documentation
https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-error-pages#sql-connection-errorsWorkarounds
-
85% success Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
-
90% success Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
-
70% success Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
中文步骤
Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
Dead Ends
Common approaches that don't work:
-
60% fail
This disables SSL validation, which is a security risk and may violate compliance policies; also, it does not fix the underlying trust issue.
-
90% fail
Regenerating certificates on the server does not update the client's trust store; the new certificate still needs to be trusted by the function.
-
80% fail
Self-signed certificates still require client-side trust configuration; manual import in Azure Functions is complex and often fails due to runtime limitations.