-2

please could you help with following mysterious & interesting issue?

IIS websites:
IdentityServer (v 2.0.1) - used to login & get clientToken for service account (which is furhter used for IdentityServerApi calls)
IdentityServerApi - used to get user data from DB
WebSite1
WebSite2
WebSite3
WebSite4
NewWebapp

Startup.cs in IdentityServer contains Clients for all web sites NewWebapp was added recently with exact same configuration as other websites (only ReturnUrl differs)

Classic (functional) scenario is:
WebApp gets clientToken from IdentityServer and this is used for all requests to IdentityServerApi (containing user & other data).

Current behavior is:
All WebSites1-4 work correctly. But when NewWebapp is trying to get clientToken it gets following error:

Exception:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at mySupply_project.Utils.RemoteUserApiProvider.<CallUserApi>d__7.MoveNext() in C:\tfs43\MySupply\MySupply-project-multilingual\mySupply-project\Utils\RemoteUserApiProvider.cs:line 91 InnerException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Message: Exception StackTrace: at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at mySupply_project.Utils.RemoteUserApiProvider.d__7.MoveNext() in C:\tfs43\MySupply\MySupply-project-multilingual\mySupply-project\Utils\RemoteUserApiProvider.cs:line 91

TraceLog of IdentityServer does not contain any useful information.

When testing in Postman, requests are processed well, clientToken & data are correctly returned in all cases (including NewWebapp).

Please, does anyone have idea what could be possibly wrong? Thanks a lot!

Update:
RemoteUserApiProvider calls this method:

public async Task<string> CallUserApi(string url)
{
    var accesToken = ClientToken();
    if (string.IsNullOrEmpty(accesToken))
        return string.Empty;

    try
    {
        using (var client = new HttpClient())
        {
            client.SetBearerToken(accesToken);

            // turn off validation of a certificate for testing
            CheckCertificationSettings();

            _logger.LogInfo($"[CallUserApi] Url: {url}");

            var result = await client.GetStringAsync(url);

            return result;
        }
    }
    catch (Exception ex)
    {
        _logger.LogException(ex, Source.IdentityServer);
        return string.Empty;
    }
}

This method CallUserApi calls url of IdentityServerApi (via https).
To get clientToken, IdentityServer (not Api) is called via https.

Guris_cz
  • 1
  • 3

1 Answers1

0

This doesn't seem to be identity related issue, what URL does the RemoteUserApiProbider call into? Check if the SSL of the URL is trusted on the same box as where the new client app is being hosted. You can use powershell or browser

Updated:

And try go through this checklist to see if any one of those is matched

Community
  • 1
  • 1
Ming
  • 730
  • 2
  • 8
  • 23
  • Certificate is valid - all other sites (WebSite 1-4) use it and it's working. Both URLs (IdentityServerApi & NewWebapp) are part of the certificate address list. – Guris_cz Mar 28 '17 at 09:50
  • @PetrGurecký, so what URL is `RemoteUserApiProvider.` call into? Is it API or OP? Sorry, the method name is really confusing – Ming Mar 28 '17 at 20:52
  • Please see the update of the post, I've tried to explained and shown the method body. – Guris_cz Mar 29 '17 at 05:39
  • @PetrGurecký thanks for updating that, back to my original question did u get ssl connection error when connect identity server on the same box where the new web app is hosted. you can check by using either powershell or browser by opening this link https:////.well-known/jwks – Ming Mar 29 '17 at 07:00
  • I'm not sure what "same box" means. But if you mean the same server - yes, IdentityServer, IdentityServerApi & NewWebApp (also all WebSites) are on the same IIS. The URL you mentioned shows secured connection (valid certificate) and returns JSON with "keys" array – Guris_cz Mar 30 '17 at 07:37
  • @PetrGurecký ok, did u try ignore ssl error using the ServerCertificateValidationCallback, it is not the best option but at least it can prove if it is cert issue if this approach works? Sorry can't be more helpful – Ming Mar 30 '17 at 07:50