[Fixed] Powershell - The certificate chain was issued by an authority that is not trusted (dbatools)

Quick Fix: Use the -NoSqlCheck parameter to prevent the sql data files from checking, or force it to trust the server certificate assuming you don’t want to install a proper certificate, but know this is a significant security issue.

The Problem:

When executing dbatools scripts, various commands encounter a warning stating: ‘The certificate chain was issued by an authority that is not trusted’. Despite attempts to set ‘TrustServerCertificate=True’ in the SQL Server connection string, the issue persists. A PowerShell-specific solution is sought to resolve this warning.

The Solutions:

Solution 1: Bypass the SQL Server Certificate Check

To avoid certificate trust issues when using dbatools scripts, you can disable the SQL data file check by using the -NoSqlCheck parameter. However, it’s recommended to obtain a valid certificate for your SQL Server instance to ensure security.

Solution 2: Force Trusting Untrusted Certificates

If you wish to connect to SQL Server despite an untrusted certificate, you can force PowerShell to trust it. However, this approach presents significant security risks. You can use the following code snippet to force certificate trust:

“`powershell
$server = Connect-DbaInstance `
-SqlInstance 'yourMachine.domain.com' `
-Database 'YourDb' `
-TrustServerCertificate;
# add credentials using -SqlCredential

Backup-DbaDatabase -SqlInstance $server…..

Solution 2: DbaToolsConfig Settings

If you want to keep your current version of dbatools and don’t want to add code to each script, you can set the DbaToolsConfig settings:

Set-DbatoolsConfig -FullName sql.connection.trustcert -Value $true -Register
Set-DbatoolsConfig -FullName sql.connection.encrypt -Value $false -Register

This will set the sql.connection.trustcert setting to $true, which will cause dbatools to trust all certificates, and the sql.connection.encrypt setting to $false, which will cause dbatools to use unencrypted connections.

Solution 3: Update the Module and Use the -TrustServerCertificate Switch

Rather than reverting to a previous module version, it’s advisable to update the module for security and other reasons. After updating, consider the following steps:

Install an Appropriate Certificate (Recommended): Acquire and install a certificate that is trusted by the system.

Use the -TrustServerCertificate Switch: If installing a certificate is not feasible, use the -TrustServerCertificate switch in your connection string. For example, when using Invoke-Sqlcmd to interact with a SQL database using the SQLServer module (applicable to DBATools as well):
```
$server = "Your_Server"
$db = "Your_Database_To_Connect"
$query = "Select name from sys.databases;"
Invoke-Sqlcmd -ServerInstance $server -Database $db -Query $query -ConnectionTimeout 3 -TrustServerCertificate
```

Q&A

Powershell – The certificate chain was issued by an authority that is not trusted (dbatools)

—

Set-DbatoolsInsecureConnection -SessionOnly and remember to use -TrustServerCertificate switch in your connection string

Video Explanation:

The following video, titled "The Certificate Chain was issued by an authority that is not trusted ...", provides additional insights and in-depth exploration related to the topics discussed in this post.

From #SQLSchool #CertificateChainError #SQLServerConnection This video includes SQL Server connection from SSMS ...

[Fixed] Powershell – The certificate chain was issued by an authority that is not trusted (dbatools) – Powershell