Overview

The mk-sql plugin can successfully connect to a Microsoft SQL Server instance, but then pauses for about 15 seconds before timing out. This behavior is misleading because the network connection itself works. The delay occurs during TLS setup and is often related to certificate validation.

Problem

You may see log entries like the following:

The connection to SQL Server is established immediately. The delay happens afterward, during encryption and authentication setup.

A 15 second delay is a strong indicator of a problem in the TLS or certificate validation process rather than a network issue.

Key observations

• In most cases, this delay is caused by issues in the certificate validation chain, especially on Windows systems

• Windows environments are more prone to this due to how certificate trust chains are validated

• On Linux, the same issue can occur, but it is less commonly tied to the system trust chain and more to TLS configuration mismatches
  
  

Another important detail is that the delay is not always persistent:

• The 15 second timeout can be temporary

  • There are cases where the issue disappeared without any configuration change

  • This suggests that certificate validation or external dependencies can intermittently affect the behavior

Why older plugins appear to work

The older mssql.vbs plugin uses Microsoft’s native drivers and TLS stack. These handle certificate validation in a way that aligns closely with SQL Server expectations.

In contrast, mk-sql uses different libraries and TLS handling, which makes certificate validation issues more visible.

If the old plugin works but mk-sql does not, this does not necessarily indicate a driver problem. In theory:

• Both ODBC (Open Database Connectivity) and mk-sql use the same driver and nearly identical connection strings

• Therefore, ODBC should work as well once certificate handling is correct

If ODBC fails differently, it is usually due to how certificate validation settings are applied or ignored in older versions.

Solution

The issue is usually resolved by aligning TLS, certificate trust, and authentication settings between SQL Server and mk-sql.

Check certificate configuration

• Ensure the SQL Server certificate is valid and trusted

• Avoid self signed or incomplete certificate chains unless explicitly allowed

• Pay special attention to Windows certificate stores and trust chains

Adjust mk-sql settings

If using untrusted certificates, explicitly allow them:

Verify authentication

• SQL Server must allow SQL authentication (Mixed Mode)

• mk-sql does not support Windows authentication

Consider backend behavior

• Older ODBC implementations ignored trust_server_certificate

• This was fixed with Werk #18538
  
  

The fix ensures that:

• trust_server_certificate: true is properly passed to the database connection

  • Untrusted certificates are accepted when explicitly configured

  • Behavior is consistent with expectations

In certain scenarios, especially in clustered environments, the ODBC backend provides more stable and reliable monitoring.

To add this, click on Setup → Agents → Windows, Linux, Solaris, AIX → Agent rules → Microsoft SQL Server → Add Rule

First place check boxes on:

• Connection

• Monitoring backend

Then select "Use Odbc backend if plugin deployed on Windows"

Open

Important note on the 15 second delay

The 15 second timeout should be treated as a diagnostic indicator:

• It is very often linked to certificate validation issues

• Especially on Windows systems, it points to problems in the certificate chain

• It is not a reliable indicator of connectivity problems

Marking this pattern in logs as a potential certificate chain issue can significantly speed up troubleshooting.

A 15 second timeout during mk-sql connection setup is most commonly caused by certificate validation issues, often within the Windows trust chain, and can sometimes appear intermittently due to external validation behavior.

Related articles