sqlserver error "TLS Handshake failed: x509: certificate signed by unknown authority"

278 views
Skip to first unread message

Peggy Scott

unread,
Sep 10, 2019, 3:23:08 PM9/10/19
to golang-nuts
I am using a dockerized Golang image to connect to my Azure SQL server database. When I try to ping it, I am running into "TLS Handshake failed: x509: certificate signed by unknown authority". I am able to run my app from my box without dockerization without any issues. I am also able to able to ping my Azure Postgres server with sslmode=require without issues using the same Golang image. I am using https://github.com/denisenkom/go-mssqldb package. My connection code is:

    db, err := sql.Open("sqlserver", "server=myserver.database.windows.net;user id=myuserid;"+
 password=mypassword;port=1433;database=mydbname;encrypt=true;TrustServerCertificate=false;"+
 connection+timeout=30;hostNameInCertificate=*.database.windows.net;")

    if err != nil {
        globals.Log.WithError(err).WithFields(logrus.Fields{
            "drivername":       "sqlserver",
            "connectionstring": "secret",
            "error":            err.Error()}).Panic("Unable to connect to db")

What am I missing?

Marcin Romaszewicz

unread,
Sep 10, 2019, 3:28:56 PM9/10/19
to Peggy Scott, golang-nuts
You're missing the CA Root certificates for whatever linux distribution is running your application. For example, I use Alpine linux as my Docker base image for my Go services, and I must install the certificates like this via the Dockerfile:

RUN apk update && apk add ca-certificates

Find the correct way to do that in your Docker base image.

-- Marcin

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/0a0591d0-2b5a-4d21-8e95-012ba26b3900%40googlegroups.com.

Peggy Scott

unread,
Sep 10, 2019, 5:07:01 PM9/10/19
to golang-nuts
Yes!! RUN apt-get update && apt-get install ca-certificates -y

for amd64/ubuntu:18.04
To unsubscribe from this group and stop receiving emails from it, send an email to golan...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages