# System.Data.SqlClient.SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

- **ID:** `cloud/azure-function-cold-start-sql-connection`
- **Domain:** cloud
- **Category:** auth_error
- **Error Code:** `SQL-18452`
- **Verification:** ai_generated
- **Fix Rate:** 83%

## Root Cause

Azure Function's SQL connection string uses 'Encrypt=True' but the server's SSL certificate is not trusted by the client due to missing root CA or misconfigured trust store in the function runtime.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Azure Functions .NET 8.0 | active | — | — |
| SQL Server 2022 | active | — | — |

## Workarounds

1. **Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container** (85% success)
   ```
   Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
   ```
2. **Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'** (90% success)
   ```
   Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
   ```
3. **Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)** (70% success)
   ```
   Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
   ```

## Dead Ends

- **** — This disables SSL validation, which is a security risk and may violate compliance policies; also, it does not fix the underlying trust issue. (60% fail)
- **** — Regenerating certificates on the server does not update the client's trust store; the new certificate still needs to be trusted by the function. (90% fail)
- **** — Self-signed certificates still require client-side trust configuration; manual import in Azure Functions is complex and often fails due to runtime limitations. (80% fail)