Can't Connect to MSSQL local DB

ahernandez · February 11, 2022, 6:31pm

Hi everyone, I’m having issues trying to connect to my local DB for MSSQL. I am using Ignition 8.1.10 and SQL server management studio v18.10. I have checked everything and followed all the steps online, but I am getting this error and don’t know how to fix it:

Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”. ClientConnectionId:eaee1d6c-8ab1-4c66-a8fc-ee545b7cafdd)

Anyone have any ideas what is going on here?

rdyer · February 11, 2022, 6:48pm

We are having the same issue. I installed java 8.321 and the database connections all faulted. Reverted back to 8.181 and the connections are good.

IT wants the latest java version due to Log4j issues but I don’t know if that helps

pturmel · February 11, 2022, 6:59pm

See these topics:

https://forum.inductiveautomation.com/search?q=java.security%20sql%20tls

TL/DR: Your SQL Server is old and doesn’t understand modern encryption, which latest java cuts off because it is insecure.

rdyer · February 11, 2022, 7:01pm

Thank you.

Kevin.Herron · February 11, 2022, 11:19pm

This looks like a different error than before, though I don’t know why reverting the Java version would fix it.

This error implies the certificate being used by SQL Server isn’t trusted by Ignition, which isn’t uncommon when it’s self-signed or signed by an internal CA. You just need to add that CA certificate to Ignition’s supplemental cert store for import.

I wonder if one version of Java is not using SSL at all and the other is?

ahernandez · February 14, 2022, 3:40pm

Do you know where I can find the CA certificate? Is this something SQL server provides? Where is Ignition’s supplemental cert store? I I’m also running Ignition 8.1 I thought ignition packages its own java in version 8.0+ so why would I need to change the version of Java?

Kevin.Herron · February 14, 2022, 3:55pm

If that’s the issue the CA certificate would be something configured in SQL Server or maybe you can get your IT admin to help if you have one.

Read about the supplemental cert store here: Adding Security Certificates into Keystores - Ignition User Manual 8.1 - Ignition Documentation

You don’t need to change the version of Java, that advice pertains to people on Ignition 7.9 running JDK 8 and having upgraded it to a version that disables the old/deprecated TLS versions by default.

ahernandez · February 14, 2022, 5:58pm

Yup that fixed it! I had to first put the SQL CA certificate in the Trusted Root Certification Authorities store. Then I put the CA Certificate in the supplemental directory. Restarted SQL server, the ignition gateway, and then rebooted my computer. My MSSQL is now valid and connected. Thank you so much for the help!

Matt_Risser · March 16, 2022, 4:41pm

@ahernandez Where did you find the SQL CA certificate or how did you create one?

ahernandez · March 16, 2022, 7:34pm

@Matt_Risser You need to open SQL server configuration manager and go to SQL server network configuration and right click open properties on your database it will probably be something like “SQLEXPRESS.” Afterwards go to the certificate tab and go to view then the details tab then click copy the file and you should be able to export the .DER file. Once you have that certificate file you put in this directory C:\Program Files\Inductive Automation\Ignition\data\certificates\supplemental… I also put in this directory C:\Program Files\Inductive Automation\Ignition\data\certificates. Then restart your gateway and computer and it should work