System.Data.SqlClient.SqlException:与服务器成功建立连接,但在登录过程中发生错误。(提供程序:SSL提供程序,错误:0 - 证书链由不受信任的颁发机构颁发。)
System.Data.SqlClient.SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
ID: cloud/azure-function-cold-start-sql-connection
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Azure Functions .NET 8.0 | active | — | — | — |
| SQL Server 2022 | active | — | — | — |
根因分析
Azure Function的SQL连接字符串使用'Encrypt=True',但服务器的SSL证书因缺少根CA或函数运行时中的信任存储配置错误而不受客户端信任。
English
Azure Function's SQL connection string uses 'Encrypt=True' but the server's SSL certificate is not trusted by the client due to missing root CA or misconfigured trust store in the function runtime.
官方文档
https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-error-pages#sql-connection-errors解决方案
-
Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
-
Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
-
Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
无效尝试
常见但无效的做法:
-
60% 失败
This disables SSL validation, which is a security risk and may violate compliance policies; also, it does not fix the underlying trust issue.
-
90% 失败
Regenerating certificates on the server does not update the client's trust store; the new certificate still needs to be trusted by the function.
-
80% 失败
Self-signed certificates still require client-side trust configuration; manual import in Azure Functions is complex and often fails due to runtime limitations.