Hi I am running the latest Metabase app on Mac and trying to connect to MS SQL Server Express.
I can connect fine via Azure Data Studio on the same Mac with the same connection info and Encrypt connection set to true, however i get the following error in Metabase:
The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:XXXXXXXXXXXXXX
Hi @ssbssb
Do you define the certificate in ADS? Or are you just adding the connection string parameter? If you're not added a certificate, then I'm guessing the default of ADS might just be the following, which you can add to Connection String in Metabase > Admin > Databases > (your-db): encrypt=true;trustServerCertificate=true;
@ssbssb Okay, I don't know ADS, so don't know which certificate handling it does, but Metabase uses Java, so you'll need to make sure that Java understands the certificate from your server.
@ssbssb If you follow the link that I posted, then Microsoft have written a short article on how to import certificates into Java TrustStore. It's a huge subject and there are many resources on the internet, since it's not specific to Metabase.
But to begin with, make sure that you're not using the Mac App, but the JAR file instead.
Hi i have had a look - it still does not seem to be working. Not sure what the issue is because i have had no trouble connecting with ADS or .net core applications running on the same box without having to load any certificates
@ssbssb Java is not the same as ADS or .Net - it is it's own monster. But use the JAR and download Java 11: https://www.metabase.com/docs/latest/operations-guide/java-versions.html
It should include common CA's by default, so you shouldn't need to do anything.
Dealing with the TrustStore or KeyStore in Java is just painful to put it mildly.
OK - when I type java -version i have the following (this is on a Win10 machine). I'm not at the Mac right now.
java version "16.0.1" 2021-04-20
Java(TM) SE Runtime Environment (build 16.0.1+9-24)
Java HotSpot(TM) 64-Bit Server VM (build 16.0.1+9-24, mixed mode, sharing)
I don't know if you can send us the full logs of the instance when trying to connect so we can check that, and also try upgrading to 40.1 which has been released yesterday
Hi i've just upgraded to 40.1 and still getting the same error. How can i send you the logs?
I've also tried replacing the sqlserver.metabase-driver.jar in the plugins folder with one i downloaded from the Microsoft website (mssql-jdbc-9.2.1.jre15.jar).
It is all the same error unable to find a valid ceritifcation path to requested target.
Got it - there was three certificates that I needed to import and now it seems to work. Seems to work even with the MS SQL drivers i copied into the plugin folder
It wasn't also working on MacOS - i will import the other certificates there and give it ago. Apologies i'm not that familiar with Java / JDK so was a bit of a struggle to get this up and running
@ssbssb Perfect. Guess you might have been using another certificate (or included the wrong one).
The driver gets replaced, when you start Metabase, with the one included - this is to ensure old drivers are upgraded - so that's why the driver works (it's not the one you included).
Trust me - everyone is "new" to TrustStore/KeyStore until you have grey hair. Most other databases (Postgres, MySQL, etc) allows you to define the certificate in the Connection String, so you can avoid TrustStore.
We are working on adding certificate management in the interface of Metabase, but it's a difficult project and hopefully will be finished this year.
