I've set up an instance of Identity Server 3 and it's running locally using a self-signed SSL certificate which I've added to my trusted certificates store.
Separately I have an example MVC project which is using the OWIN Katana middleware to authenticate against this local IS3 instance. This all works well.
I've now moved the two applications to a testing environment outside my local machine, replicating the setup as close as possible. Both are running under SSL using a self-signed certificate which I've also installed to my local trusted certificate store. However, clicking sign-in from my test app throws this exception:
The remote certificate is invalid according to the validation procedure.
Here is the stack trace:
[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +298
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +150[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +764 System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +78[HttpRequestException: An error occurred while sending the request.]
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +366[IOException: Unable to get document from: https://[OBFUSCATED]/core/.well-known/openid-configuration]
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +736 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.IdentityModel.Protocols.d__0.MoveNext() +290
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +917
It's pretty obvious my SSL setup is not sufficient to meet the validation, but I'm not clear what I need to change. Is it simply the case that I cannot test on a remote deployment environment without a full SSL certificate? Or am I missing something. If you need to know more about my setup let me know what would help. As I say, this same applications run fine locally so I assume this is more about server config. Thanks.
Update 1: more detail about testing environment
My testing environment is a pair of load balanced web servers. My Identity Server application and my example client application are both hosted on these servers under different URLs. Both use the same self-signed SSL certificate. This SSL certificate has been added to the Trusted Root Certs and the Trusted People stores on each web server. I've therefore followed all the advice on other examples (e.g. here). Is there something about this setup (e.g. both sites using the same certificate) that will cause the validation procedure to fail?
Solved
I'm not 100% sure what the problem was here but I think it must have been a problem with how I generated my self-signed certs. I decided to wipe out the existing SSL certs, then used the following Powershell script on each web server to create a new self-signed on each then copied the new certificates. Using these certificates for my bindings worked fine. Make sure the $AddionalHostNames variable matches your IS3 application's hostname.
$AddionalHostNames="my.is3.host.name"
New-SelfSignedCertificate -DnsName $env:computername, $AddionalHostNames -CertStoreLocation cert:\LocalMachine\My
