locked
SCCM 2012 DB migration - certificate chain error RRS feed

  • Question

  • Hi all

    I am having an issue with migrating an SCCM 2012 database to a new SQL instance that doesn't seem to be uncommon however have had no luck in resolving the issue with what other people have suggested on forums...I have an SCCM 2012 installation which currently has the site database located on a co-located SQL 2012 instance. I am trying to migrate this database to a different SQL 2012 server with multiple named instances.

    I have followed the instructions as per the following article: http://blogs.technet.com/b/configurationmgr/archive/2013/04/02/how-to-move-the-configmgr-2012-site-database-to-a-new-sql-server.aspx

    I have backed up and restored the database to the new instance as per the guide however when running the Configuration Manager Setup Wizard I am getting the following errors:

    *** Failed to connect to the SQL Server, connection type: SMS ACCESS. Configuration Manager Setup 22/04/2015 11:51:10 AM 4428 (0x114C)
    INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure Configuration Manager Setup 22/04/2015 11:51:10 AM 4428 (0x114C)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)
    *** Failed to connect to the SQL Server, connection type: SMS ACCESS. Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)

    The errors will continue to pop up every 3 seconds for a few minutes before timing out and the wizard errors out.

    I have tried as others suggested and performed the following with no luck:
    - added the SCCM 2012 service account (account that I'm running the Config Manager wizard as) and computer account to the local administrators group on the SQL server
    - given the SCCM 2012 service account (account that I'm running the Config Manager wizard as) sysadmin privileges to the SQL instance
    - from our internal CA I've issued a certificate for the SQL server and installed it on both the SQL and SCCM server
    - tried exporting the SCCM server cert from the SMS_SITE_COMPONENT_MANAGER\Trusted People store and installed it into the Local Computer\Personal certificate store on the SQL server. Even tried installing it into the MSSQL$INST02\Personal store (INST02 being the name of the SQL instance)

    Articles that I've already referenced to try and fix this however without any luck:
    https://social.technet.microsoft.com/Forums/en-US/b5e1fc09-1f09-4de2-93c3-c0261fdda238/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted-when-migrating-to-sql-2012?forum=configmanagerdeployment#a294676b-d51a-4049-82cf-adde14f9711a

    https://social.technet.microsoft.com/Forums/en-US/1726fa9d-a97b-41cb-8531-5a5f7191132e/cant-migrate-sccm-database-to-sql-server-2008-r2-cluster-connection-failed-sms-access?forum=configmanagergeneral

    Does anyone have any suggestions? The ideal would solution for me would be to remove the need to use certificates for the connection to the SQL backend if that it at all possible.

    Cheers
    Brady

    Wednesday, April 22, 2015 5:08 AM

Answers

  • At this point I recommend that you connect Microsoft support CSS and ask them how to solve this problem.

    IMO you shouldn't need the two certs from your internal CA but you will need the two cert from your site server.


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Proposed as answer by Joyce L Thursday, April 23, 2015 6:14 AM
    • Marked as answer by Joyce L Wednesday, May 6, 2015 8:24 AM
    Wednesday, April 22, 2015 10:14 AM

All replies

  • At this point I recommend that you connect Microsoft support CSS and ask them how to solve this problem.

    IMO you shouldn't need the two certs from your internal CA but you will need the two cert from your site server.


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Proposed as answer by Joyce L Thursday, April 23, 2015 6:14 AM
    • Marked as answer by Joyce L Wednesday, May 6, 2015 8:24 AM
    Wednesday, April 22, 2015 10:14 AM
  • Was this ever solved? I'm moving my SQL database tonight...

    Will

    Friday, April 1, 2016 12:39 PM
  • Was this ever solved? I'm moving my SQL database tonight...

    Will

    If your SQL Server is clustered you need to check which certificate is being used.  Follow this:

    https://blogs.msdn.microsoft.com/jorgepc/2008/02/19/enabling-certificate-for-ssl-on-a-sql-server-2005-clustered-installation/

    The cert does not display in the GUI correctly.  I ended up creating a new cert via our CA with a common name which matched the SQL cluster name.  Importing that into all cluster nodes then configuring it via the registry as per above.  I then stopped and restarted the SQL instance, I could then connect.

    Thursday, April 21, 2016 10:20 AM