The remote certificate is invalid according to the validation procedure

Question

Running the following code, I get an exception:

using (var client = new Pop3Client())
{
    client.Connect(provider.ServerWithoutPort, provider.Port, true);
}

The Exception I get:

The remote certificate is invalid according to the validation procedure.


   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at OpenPop.Pop3.Pop3Client.Connect(String hostname, Int32 port, Boolean useSsl, Int32 receiveTimeout, Int32 sendTimeout, RemoteCertificateValidationCallback certificateValidator)
   at OpenPop.Pop3.Pop3Client.Connect(String hostname, Int32 port, Boolean useSsl)
   at Ugi.Server.Sources.Logic.SourcesService.IsValidPop3Connection(String email, String emailPassword) in C:\Users\elad\Documents\Visual Studio 2010\Projects\SVN\UGI\Ugi\Server\Sources\Logic\SourcesService.cs:line 246

@BoPersson except that other question has an horrible accepted upvoted answer. — Gilles, Jun 11 '14 at 17:24

Anders Abel · Accepted Answer · 2019-08-05T17:38:55.753

97

This usually occurs because either of the following are true:

The certificate is self-signed and not added as a trusted certificate.
The certificate is expired.
The certificate is signed by a root certificate that's not installed on your machine.
The certificate is signed using the fully qualified domain address of the server. Meaning: cannot use "xyzServerName" but instead must use "xyzServerName.ad.state.fl.us" because that's basically the server name as far as the SSL cert is concerned.
A revocation list is probed, but cannot be found/used.
The certificate is signed via intermediate CA certificate and server does not serve that intermediate certificate along with host certificate.

Try getting some information about the certificate of the server and see if you need to install any specific certs on your client to get it to work.

edited Aug 05 '19 at 17:38

answered Apr 02 '12 at 20:27

Anders Abel

67,989
17
150
217

2

Keep coming back to this. Root certificate, every time. Thanks a bunch! :D – Squazz Jan 02 '17 at 14:27
8

Damn... Back here again, and this time it's none of the above points :/ – Squazz Jun 08 '17 at 09:09
@Squazz: did you resolve it? any new points to add? – XYZ Jul 10 '17 at 16:12
1

Unfortunately not @XYZ, we ended up doing something else :/ – Squazz Jul 11 '17 at 07:07
* The certificate is signed via intermediate CA certificate and server does not serve that intermediate certificate along with host certificate. – vbezhenar Aug 05 '19 at 15:53
@vbezhenar Thanks, I'll edit that point into the answer. – Anders Abel Aug 05 '19 at 17:38
I'm running into this issue now, and I've put the Self-Signed CA into both the Admin Trusted Root store, and the User Trusted Root Store. It still rejects the certificate. I am connecting to the server using 'my-server' and the Certificate is signed for 'my-server'. It's unfortunate the reason it rejects it isn't more clear. – Andrew T Finnell Mar 05 '20 at 18:08
1

the reason I was getting this error had nothing to do with the cert (the cert was fine), but the endpoint that I was using in the outgoing request was incorrect – user224567893 Nov 02 '20 at 05:41
1

Having this issue right now with `RemoteCertificateNameMismatch` in `sslPolicyErrors`. It seems the subject name does not match and alt names are not fully checked (the name is there in alts as the subject IP address and it works in the browser). Works with DNS name though. This seems to be fixed in latest .NET and/or Windows. – Eugene Ryabtsev Mar 11 '21 at 05:58
Or simply, the local date / time is wrong. – AlexPi Nov 16 '22 at 20:38

brimble2010 · Answer 2 · 2014-07-01T10:07:51.600

77

Even shorter version of the solution from Dominic Zukiewicz:

ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;

But this means that you will trust all certificates. For a service that isn't just run locally, something a bit smarter will be needed. In the first instance you could use this code to just test whether it solves your problem.

edited Jul 01 '14 at 10:07

answered Jan 29 '13 at 10:01

brimble2010

17,796
7
28
45

4

See this answer for why you should only do this in rare cases: http://stackoverflow.com/a/6613434/1955317 – Squazz Jan 02 '17 at 14:28
10

seems rather obvious to NOT use in production. But to get moving in development this is a god-send – BozoJoe Jan 24 '18 at 07:32
@BozoJoe said another way, "only do this if this is a school project", otherwise I can't imagine it's place. – Dan Chase Oct 02 '21 at 21:13
5

adding this here to help folks and answers are locked but if your using HttpClient and dotnet core you will need to do something like this instead, again not a safe solution but handy for local dev concepts; HttpClientHandler handler = new HttpClientHandler(); handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator; _client = new HttpClient(handler); – Morgeth888 Nov 12 '21 at 21:41
PowerShell equivalent of this answer: `[System.Net.ServicePointManager]::ServerCertificateValidationCallback += {$true}` – Joe Skeen Dec 02 '22 at 13:43
@DanChase I'm setting up a staging environment to test near-production-ready containers. The container in question has run into the issue because my test bed instances are only using self-signed certs, and not for the domain that the container thinks it is accessing. – RTD Jan 17 '23 at 03:30

score 31 · Answer 3 · edited Sep 14 '17 at 02:02

31

I had the same problem while I was testing a project and it turned that running Fiddler was the cause for this error..!!

If you are using Fiddler to intercept the http request, shut it down ...

This is one of the many causes for such error.

To fix Fiddler you may need to Reset Fiddler Https Certificates.

edited Sep 14 '17 at 02:02

Kirill Kobelev

10,252
6
30
51

answered Mar 18 '14 at 11:59

stackunderflow

3,811
5
31
43

The link to Resetting the Fiddler Https Certificates worked for me, thanks. – WooHoo Jan 08 '18 at 11:34
1

You, my friend, are a champion :) quick and simple fix to a potentially overwhelming issue! – Jimbo Jun 03 '22 at 09:05

score 31 · Answer 4 · answered Apr 02 '12 at 20:31

31

.NET is seeing an invalid SSL certificate on the other end of the connection. There is a workaround for it, but obviously not recommended for production code:

// Put this somewhere that is only once - like an initialization method
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateCertificate);
...

static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
   return true;
}

answered Apr 02 '12 at 20:31

Dominic Zukiewicz

8,258
8
43
61

1

I get prompted twice. Once upon connection and once upon file upload. Is that normal? I inserted the code per your instructions. One at initialization and one in my FTP class. – B.K. Oct 11 '13 at 23:01
hooray `ServicePointManager` to the rescue again in development – BozoJoe Jan 24 '18 at 07:34
1

This approach also allows you other options for inspecting the X509Certificate before deciding to (always) return `true` – tgolisch Nov 17 '21 at 20:34

score 1 · Answer 5 · edited Oct 29 '14 at 00:15

You must check the certificate hash code.

ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain,
    errors) =>
        {
            var hashString = certificate.GetCertHashString();
            if (hashString != null)
            {
                var certHashString = hashString.ToLower();
                return certHashString == "dec2b525ddeemma8ccfaa8df174455d6e38248c5";
            }
            return false;
        };

score -19 · Answer 6 · edited Mar 23 '14 at 00:55

-19

Try put this before send e-mail

ServicePointManager.ServerCertificateValidationCallback = 
        delegate(object s, X509Certificate certificate, X509Chain chain,
        SslPolicyErrors sslPolicyErrors) { return true; };

Remenber to add the using libs!

edited Mar 23 '14 at 00:55

tvkanters

3,519
4
29
45

answered Mar 23 '14 at 00:29

pedrozza

19
1

29

You should never recommend this approach toward solving trust without explaining the risks. – Jerico Sandhorn Sep 17 '15 at 19:53

The remote certificate is invalid according to the validation procedure

6 Answers6

Linked