2

I have disabled TLS 1.0 and TLS 1.1. in Identity Server (v4 running in a Service Fabric Cluster using WebHostBuilder, targeting .NET 4.6.2 using a self-signed cert). I have added the following in Startup.cs:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

And I receive the following error:

System.InvalidOperationException: IDX10803: Unable to create to obtain 
configuration from: 'https://services.mytest.com:8443/oauth/.well- 
known/openid-configuration'. ---> System.IO.IOException: Unable to get 
document from: https://services.mytest.com:8443/oauth/.well- 
known/openid-configuration ---> System.Net.Http.HttpRequestException: An 
error occurred while sending the request. ---> System.Net.WebException: The 
underlying connection was closed: An unexpected error occurred on a receive. 
---> System.ComponentModel.Win32Exception: The client and server cannot 
communicate, because they do not possess a common algorithm

I've looked at the questions here:

IDX10803: Unable to create to obtain configuration

Unable to obtain configuration from well-known/openid-configuration

I've tried the suggestions (including adding the cert to trusted root)

SturmUndDrang
  • 1,876
  • 5
  • 27
  • 47
  • Except adding the cert to the trusted root, the user, who is running the app pool, where the IDS is hosted, should be given read rights to the cert. Have you done that too? – m3n7alsnak3 Jul 17 '18 at 18:20
  • The App pool is running under LocalSystem and I've added the cert under Local Machine. – SturmUndDrang Jul 18 '18 at 07:04
  • Remember having the same issue with localsystem or apppoolidentity, so I ended up creating an account for this app pool, run it under this account, still adding the cert to trusted root, and give the account at least read rights to the cert. Check here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Certificates . Steps for ids4 are the same, and you can import your own cert of course. – m3n7alsnak3 Jul 18 '18 at 16:59
  • I changed the account and added the cert (pfx) under Personal and (cer) under Trusted People (as in the link). I'm still getting the same error though – SturmUndDrang Jul 18 '18 at 21:20
  • and you added permissions to the user for the certificate? – m3n7alsnak3 Jul 18 '18 at 21:31
  • I'm not sure how to do that. When it's under LocalMachine you can set the ACL on the cert for a user (All Tasks > Manage Keys), but not when it's in the Current User store – SturmUndDrang Jul 19 '18 at 04:18

1 Answers1

0

I don't know much about that particular piece of software but the problem here is not that the certificate is not trusted (according to the error message) but your server and client try to negotiate during TLS handshake which protocol version, cryptographic ciphers and keyexchange mechanism should be used. It would seem that the client and server have now become incompatible. Either change the client or the server.

See also for an related and post with a possible solution:

The client and server cannot communicate, because they do not possess a common algorithm

JohannesB
  • 2,214
  • 1
  • 11
  • 18
  • The problem surfaces where the client and the server are the same machine, therefore they have the same TLS configuration in the windows registry. – SturmUndDrang Aug 01 '18 at 07:33