12

I have an asp.net mvc web app that has been running in production for about 4 years. Suddenly since about a week ago, I am getting this error being returned for all calls to 3rd-party secure API's:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

This is for calls to SendGrid for sending emails, calls to Azure Blob Storage for uploading of documents, calls to Connect.io for logging.

I have managed to resolve the Azure Blob Storage problem temporarily by changing the connection string to use http instead of https.

Clearly something has broken on my app server, and I have no idea where to start looking.

Please help.

Edit: Turns out I was using a sample library provided by one of my (lesser-used) 3rd party API's, and this library had an override of System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) which had it's own logic about what constitutes a valid certificate!!! AARGH!

Shawn de Wet
  • 5,642
  • 6
  • 57
  • 88

3 Answers3

10

This part become key information for your problem:

I am getting this error being returned for all calls to 3rd-party secure API's

According to MSDN blog:

This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

Because it seems that one or more third party certificates are rejected, you may configure Trusted Roots part of your certificate trust lists to include all required third party CA as part of chain to work with secure APIs from trusted sources, including reissued certificates if any.

Further details: https://technet.microsoft.com/en-us/library/dn265983.aspx

NB (Optional):

As temporary measure, you can implement this certificate validation handler in WebRole.cs until all related third-party certificates has reissued (remember this setting will trust all issued certificates, hence it's not recommended for long term usage):

System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

Additional reference: http://robertgreiner.com/2013/03/could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel/

Tetsuya Yamamoto
  • 24,297
  • 8
  • 39
  • 61
  • What really has me worried is that this is happening even with that ServerCertificateValidationCallback in place! – Shawn de Wet Oct 27 '16 at 02:29
  • You can use checklist here: http://stackoverflow.com/a/703285/6378815. Try to synchronize between CA server and server's time first, then you can override `ServerCertificateValidationCallback` behavior like this one: http://stackoverflow.com/questions/28679120/how-to-call-default-servercertificatevalidationcallback-inside-customized-valida/28682060#28682060. – Tetsuya Yamamoto Oct 27 '16 at 06:07
3

Similar thing happened in our system. Our problem was TLS version. The SSL offload appliance was configured to accept only TLS 1.2. One week ago this configuration accepted all TLS versions 1.0 to 1.2.

We had to reconfigure .NET's SecurityProtocol settings like:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12;

You can use this site to test which TLS version you are using: https://www.ssllabs.com/ssltest/index.html

fduman
  • 190
  • 4
0

Try to get some information about the certificate of the servers and see if you need to install any specific certs.

The server(s) may had a cert signed by a 3rd party CA which you hadn't trusted yet. The solution is to add that CA to the Trusted Root CA list.

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70