Why wouldn't I be able to establish a trust relationship for a SSL/TLS channel?

Question

I have a piece of .NET code that is erroring out when it makes a call to HTTPWebRequest.GetRequestStream. Here is the error message:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I've read a few things that suggest that I might need a certificate on the machine running the code, but I believe I have all the require certificates...

This is how I checked to see if I had the required certificates:

hit the webservice using Firefox.
Look at the certificates being used to hit that web service by looking at the security info through the browser
export the certificates
import the certificates through Internet Options in the control panel

Should this be sufficient? I am still getting the error.

Code:

        var request = (HttpWebRequest)HttpWebRequest.Create(requestUrl); //my url
        request.Method = StringUtilities.ConvertToString(httpMethod); // Set the http method GET, POST, etc.

        if (postData != null)
        {
            request.ContentLength = postData.Length;
            request.ContentType = contentType;
            using (var dataStream = request.GetRequestStream())
            {
                dataStream.Write(postData, 0, postData.Length);
            }
        }

UPDATE:

Adding some screen shots of my certs. Let me know if anything looks wrong:

First, we have the cert that Firefox is using:

enter image description here

Next, we have what is in my Trusted Root Certs according to the MMC:

enter image description here

Last, we have what is in my Intermediate certs according to the MMC:

enter image description here

Does this look right?

possible duplicate of http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap — Tomas Voracek, Dec 30 '10 at 22:13
If you run your code while Fiddler is running in HTTPS-interception mode (Tools > Fiddler Options > HTTPS) does the problem change? — EricLaw, Dec 31 '10 at 02:04

Kris C · Accepted Answer · 2010-12-31T18:46:49.003

1

If the 3rd party webservice is secured using a self signed certificate, you will need to install their CA signing certificate into your trusted certificates keystore

EDIT based on code sample.

I've tried an example calling those facebook urls without problem doing an http get to one of the graph.facebook urls without error using the code sample below. Please can you update your example with what you're trying to post and to which URL?

At the moment from what I can see from mine, it seems to work, so can only assume a certificate problem on the pc your're executing it from still.

    {
        string requestUrl = "https://graph.facebook.com/btaylor";

        var request = (HttpWebRequest)HttpWebRequest.Create(requestUrl); //my url
        request.Method = "GET";

        WebResponse response = request.GetResponse();

        Stream responseStream = response.GetResponseStream();
        // TODO: Do whatever you need with the response
        Byte[] myData = ReadFully(responseStream);
        string s = System.Text.ASCIIEncoding.ASCII.GetString(myData);
    }

edited Dec 31 '10 at 18:46

answered Dec 30 '10 at 22:27

Kris C

2,828
1
29
25

If you can browse to the webservice, you should be prompted by your browser that the certificate is untrusted and to allow you to add it to your trusted certificates. – Kris C Dec 30 '10 at 22:36
You can get to this from Control Panel -> Internet Options -> Content -> Certificates - > Trusted Root Certificates – Kris C Dec 30 '10 at 22:39
Ok, I tried going to the webservice (https://graph.facebook.com/) through my browser but it just redirects me to an API page and never says anything about a certificate. I do have a bunch of certificates in the path that you mentioned but none of them say facebook. Would it say something else? – Abe Miessler Dec 30 '10 at 22:50
Also, I had this running on another machine and it worked, does that mean the cert exists somewhere on that machine? Can I just move it over? – Abe Miessler Dec 30 '10 at 22:50
Hmm - if it's facebook you're accessing the suggestion I've proposed may not be the case. However you can check the certificate (in Chrome, open the https page then right click -> page info -> certificate information. This shows for me that the certificate is "DigiCert High Assurance CA-3" - you can save this, check that it's on the other machine, and if not you can import it to the certificates area mentioned previously. If this doesn't help, I'd suggest a) checking the suggestions in the possible duplicate and/or b) post some code, so we can try and recreate the problem – Kris C Dec 30 '10 at 22:57

Why wouldn't I be able to establish a trust relationship for a SSL/TLS channel?

1 Answers1