After seeing various issues with SQL Server startup problem, I felt that I know almost most of the errors, but I was wrong till someone contacted me with a new error. But I learned that Errorlog is always a good place to start with. SQL SERVER – Where is ERRORLOG? Various Ways to Find ERRORLOG Location. Let us learn in this blog post we are going to learn how to fix unable to load user-specified certificate. Here is what I saw in my client’s machine.
2016-11-03 08:55:09.64 spid9s Server name is ‘SQLSAPPROD\BILLING’. This is an informational message only. No user action is required.
2016-11-03 08:55:09.64 spid9s The NETBIOS name of the local node that is running the server is ‘SQLSAPNODE1’. This is an informational message only. No user action is required.
2016-11-03 08:55:09.64 Server Error: 26014, Severity: 16, State: 1.
2016-11-03 08:55:09.64 Server Unable to load user-specified certificate [Cert Hash(sha1) “FD757A4A777966D5EEB2BD5445D151528E47A62E”]. The server will not accept a connection. You should verify that the certificate is correctly installed. See “Configuring Certificate for Use by SSL” in Books Online.
2016-11-03 08:55:09.64 Server Error: 17182, Severity: 16, State: 1.
2016-11-03 08:55:09.64 Server TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
Above snippet of ERRORLOG has interesting message “Unable to load user-specified certificate [Cert Hash(sha1) “FD757A4A777966D5EEB2BD5445D151528E47A62E”]. The server will not accept a connection. You should verify that the certificate is correctly installed. See “Configuring Certificate for Use by SSL” in Books Online”
The certificate hash value if picked via “Certificate” registry key and once value is picked, certificate store is checked for the certificate (type, subject, thumbprint etc. would be checked)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL<Version>.<InstanceID>\MSSQLServer\SuperSocketNetLib
Below is the registry key on my client’s computer.
The value of <Version> would be dependent on SQL Server version:
|MSSQL10||SQL Server 2008|
|MSSQL10_50||SQL Server 2008 R2|
|MSSQL11||SQL Server 2012|
|MSSQL12||SQL Server 2014|
|MSSQL13||SQL Server 2016|
When I asked my client, they said there is no certificate they are using.
If you are not using a certificate, then you can go ahead and clean up the value in the registry. If you are using the certificate, then make sure it is installed correctly and it is having right thumbprint, subject etc.
Reference: Pinal Dave (https://blog.sqlauthority.com)
The other possible reason is SQl Server Service account doesn’t have full permission on Certificate private key.
need to right click on certificate and in manage private key, grant full permission to SQL Server service account.
we are using the certificate and getting same error: but not sure how we can fix this issue. we are using GMSA as service account