Java21来部署MetabseV0.57.6新增sqlserver数据库

leo7aya · February 2, 2026, 10:43am

Java21来部署MetabseV0.57.6新增sqlserver数据库连接的时候一直提示“Metabase 已尝试，但无法连接

"encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ClientConnectionId:e5d7beb9-c2a1-4e4e-979d-52639dbb23c1”，不管要不要**使用安全连接（SSL）。*但用Docker部署的该版本不用安全连接就可以连接上，请问是要怎么配置？***vi /etc/systemd/system/metabase.service文件内容如下[Unit] Description=Metabase Business Intelligence Service After=network.target [Service] User=metabase Group=metabase WorkingDirectory=/opt/metabase Environment="MB_JETTY_PORT=3000" Environment="MB_DB_FILE=/opt/metabase/data/metabase.db" # 精准指向 JDK 21 路径 Environment="JAVA_HOME=/usr/lib/jvm/java-21-openjdk" ExecStart=/usr/lib/jvm/java-21-openjdk/bin/java -jar /opt/metabase/metabase.jar ExecStop=/usr/bin/pkill -f metabase.jar Restart=on-failure RestartSec=5 TimeoutStartSec=120 [Install] WantedBy=multi-user.target

dwhitemv · February 2, 2026, 8:24pm

Your SQL Server instance is using a certificate not signed with a public certificate authority, and the the SQL Server client in Metabase can’t verify it.

The easy solution:

In the database setup dialog, click “Show advanced options”, then add “trustServerCertificate=true” to the Additional JDBC Connection String Options field.

The more difficult solution:

Add the server’s certificate (or the certificate used to sign it) to a Java keystore and tell Java to use the keystore to validate SSL sessions.

leo7aya · February 3, 2026, 3:12am

按照“jdbc:sqlserver://10.10.48.202:1433;databaseName=erpdb;user=hezc;password=h5928808;trustServerCertificate=true;encrypt=true”这样填写后，依然报错，提示为Metabase 已尝试，但无法连接"encrypt" property is set to "true" and "trustServerCertificate" property is set to "true" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: (unsupported_certificate) Certificates do not conform to algorithm constraints. ClientConnectionId:880c52e5-42d1-4f84-a7dd-1938298e3642。因为我很不理解的是为什么Docker部署相同版本的，连接相同sql数据库都可以，唯独JAR部署的就不行？难道是V0.57.6这个版本对应的JDK是java19？？

后来我竟然用vi /usr/lib/jvm/java-21-openjdk/conf/security/java.security调整了jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \ MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \ ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature的值为# 添加新的宽松规则（仅禁用高危协议/算法，移除证书相关限制） jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, 3DES_EDE_CBC, anon, NULL，但是依然无效~

dwhitemv · February 3, 2026, 4:24am

I can’t explain why the Docker version works and the self-installed version doesn’t unless there are substantial differences in the JVM used. I think the Docker version uses Eclipse Temurin. What JVM are you using in the JAR deployment?

Java 21 is required for Metabase, Java 19 is not supported.

The error message in your second post indicates the certificate used in the SQL Server instance you’re connecting to uses deprecated key types. Can you try generating a new certificate for it?

If you want to try to override it with java.security properties, or debug the certificate further, see this Stack Overflow post (may not necessarily all apply to Java 21, post is from the Java 7 era and a lot has changed in the security functions):

leo7aya · February 3, 2026, 5:48am

我刚才去vi /usr/lib/jvm/java-21-openjdk/conf/security/java.security里面，把我上午维护的jdk.tls.disabledAlgorithms=SSLv3， TLSv1， TLSv1.1， DTLSv1.0， RC4， DES， 3DES_EDE_CBC， anon， NULL，给注释了，依然提示“Metabase已尝试，但无法连接
'encrypt" property is set to "false" and "trustServerCertifcate" property is set to "true" but the driver
could not establish a secure connection to SOL Server by using Secure Sockets Layer (SSL) encryption:
Error: (unsupported certifcate) Certifcates do not conform to algorithm constraints.
ClientConnectionld:d37fa0cb-b521-4eb3-b8bc-05f0847c5a41”。现在我尝试在这台linux上用Docker来部署相同版本的Metabase再试试连接10.10.48.202这台服务器的sql数据库看看是否成功~

leo7aya · February 3, 2026, 8:11am

这台linux服务器换成docker部署，填写上数据库名，IP地址，端口号和用户名密码后，立刻就可以连接。紧接着换成Java21来部署后连接就是不行，按照vim $JAVA_HOME/conf/security/java.security来调整为如下：jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, 3DES_EDE_CBC, anon, NULL jdk.certpath.disabledAlgorithms=MD2, MD5 jdk.disabled.namedCurves= jdk.tls.legacyAlgorithms=SHA1, RSA, DSA, EC, DH, AES, CHACHA20, ARIA, CAMELLIA也依然报错，特别的迷茫~难道没有其他人遇见到这个问题？？

dwhitemv · February 3, 2026, 4:21pm

On the Linux machine, can you try running this command and posting the output? This will retrieve and print the SQL Server SSL certificate details.

openssl s_client -showcerts -connect 10.10.48.202:1433

This will identify what deprecated signature algorithm is in use so you can install an exception to it if you’re unable to create a new SSL certificate for SQL Server.

leo7aya · February 4, 2026, 3:05am

[root@DR-BI ~]# openssl s_client -showcerts -connect 10.10.48.202:1433

Connecting to 10.10.48.202
CONNECTED(00000003)
40D7F63B957F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:696:

no peer certificate available

No client certificate CA names sent

Negotiated TLS1.3 group:

SSL handshake has read 0 bytes and written 312 bytes

Verification: OK

New, (NONE), Cipher is (NONE)

Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)