# System.Data.SqlClient.SqlException：与服务器成功建立连接，但在登录过程中发生错误。（提供程序：SSL提供程序，错误：0 - 证书链由不受信任的颁发机构颁发。）

- **ID:** `cloud/azure-function-cold-start-sql-connection`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `SQL-18452`
- **验证级别:** ai_generated
- **修复率:** 83%

## 根因

Azure Function的SQL连接字符串使用'Encrypt=True'，但服务器的SSL证书因缺少根CA或函数运行时中的信任存储配置错误而不受客户端信任。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Azure Functions .NET 8.0 | active | — | — |
| SQL Server 2022 | active | — | — |

## 解决方案

1. ```
   Add the Azure SQL Database's root CA certificate to the function's trust store: download Baltimore CyberTrust Root cert and install via `update-ca-trust` in a custom container
   ```
2. ```
   Use Managed Identity instead of SQL authentication: set connection string to 'Server=tcp:server.database.windows.net;Authentication=Active Directory Managed Identity;Database=mydb'
   ```
3. ```
   Set 'Encrypt=False' in connection string as a temporary workaround (not recommended for production)
   ```

## 无效尝试

- **** — This disables SSL validation, which is a security risk and may violate compliance policies; also, it does not fix the underlying trust issue. (60% 失败率)
- **** — Regenerating certificates on the server does not update the client's trust store; the new certificate still needs to be trusted by the function. (90% 失败率)
- **** — Self-signed certificates still require client-side trust configuration; manual import in Azure Functions is complex and often fails due to runtime limitations. (80% 失败率)