patternsqlMinor
After installing a new SSL certificate, my MSSQL server is no longer able to be restarted
Viewed 0 times
aftercertificatenewlongermssqlrestartedinstallingserversslable
Problem
I installed a SSL certificate using a pfx file, taking the hash and putting it inside the certificate key of SuperSocketNetLib, I restarted the MSSQL server using the MSSQL Management Tool, and upon doing that I got the following errors:
I could not restart the server. Strangely enough, I went to a dev server and did the same thing and I didn't get any error. So the certificate works in one machine, but not the other, and I was able to connect with the encryption option checked.
To restart the server on the other machine, I had to use the old certificate hash inside the certificate key of SuperSocketNetLib, which means it's something wrong with the certificate, but what is wrong and why is it working on other sites? The SSL and pfx files worked on other website. It's a certificate for *.netflix.com and I was able to install it on multiple IIS server such as finance.netflix.com, acc.netflix.com using the pfx file and multiple websites.
The SQL Server (MSSQLSERVER) service terminated with the following service-specific error:
Cannot find object or property.
A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the operating system error log for information about possible related problems.I could not restart the server. Strangely enough, I went to a dev server and did the same thing and I didn't get any error. So the certificate works in one machine, but not the other, and I was able to connect with the encryption option checked.
To restart the server on the other machine, I had to use the old certificate hash inside the certificate key of SuperSocketNetLib, which means it's something wrong with the certificate, but what is wrong and why is it working on other sites? The SSL and pfx files worked on other website. It's a certificate for *.netflix.com and I was able to install it on multiple IIS server such as finance.netflix.com, acc.netflix.com using the pfx file and multiple websites.
Solution
In addition to the permissions mentioned in another answer ...
If the service account that the SQL Engine runs under is not a local administrator, you need to grant it Read access to the certificate's private key.
If the service account that the SQL Engine runs under is not a local administrator, you need to grant it Read access to the certificate's private key.
- Open the Certificates management console, or add it as a snap-in to a fresh MMC session. Select Local Computer for the set of certificates to manage.
- Find the certificate in question. It is probably under Personal --> Certificates. Right-click and select All Tasks --> Manage Private Keys....
- Add the SQL Engine service account, giving it Read access. (It'll default to Full Control when you add it, but Read is sufficient.)
- (In a cluster, you have to do this on each node.)
Context
StackExchange Database Administrators Q#306640, answer score: 4
Revisions (0)
No revisions yet.