Just renewed SSL Certs and I get "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",

Question

I just renewed our SSL Certs for our websites. I've been doing this for a years w/o issues.

After this last SSL update I'm getting errors when my websites are talking to each other, however no errors when I browse each site individually through chrome or other browsers.

If I browse Site A or Site B through a browser, there are no errors. However, if I go to a page where Site A needs to access Site B through an HTTPRequest, I get the following error:

  "message": "An error has occurred.",
      "exceptionMessage": "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
      "exceptionType": "System.Net.WebException",
      "stackTrace": "   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)\r\n   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)",
      "innerException": {
        "message": "An error has occurred.",
        "exceptionMessage": "The remote certificate is invalid according to the validation procedure.",
        "exceptionType": "System.Security.Authentication.AuthenticationException",
        "stackTrace": "   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)\r\n   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)"
      }

• Both sites reside on the same server
• Both sites have the same root domain name.
  (ex. SiteA.foo.com, siteB.foo.com)
• Server 2012.
• I performed the SSL Request from the Production server and finished it on the production server.
• I do not have this problem on my local dev or our other stacks (with the same certificate)
• Removed the new cert from all stores (MMC), restarted. Installed the PFX onto both the user/computer accounts. Re-binded all sites in IIS. Every site in a browser "works" but when you try to get one backend to call another website I get the same error.

.NET framework - v4.0.30319, Pipeline - Integrated

Look at the 2017-2018 certificate there are no changes except for what you would expect. Subject, Domain, etc. are all the same.

Here's a section of code that's blowing up.

            using (var handler = new HttpClientHandler())
            {
                HttpResponseMessage message = null;
                handler.CookieContainer = _cookieContainer;
                handler.UseDefaultCredentials = false;
                handler.UseCookies = true;
                using (var client = new HttpClient(handler))
                {
                    var attempt = 0;
                    client.Timeout = _requestTimeout;
                    var uri = BuildActionUri(baseUri, action);
                    while (attempt++ < retryAttempts)
                    {
                        HttpContent httpContent;
                        switch (actionType)
                        {
                            case ActionType.Put:
                                httpContent = authenticationProvider.SignRequest(client, request, grantResponse);
                                message = client.PutAsync(uri, httpContent).Result;
                                break;
                            case ActionType.PostAsJson:
                                authenticationProvider.SignRequest(client, new EntityJsonRequest {Entity = data}, grantResponse);
                                client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));//ACCEPT header
                                message = client.PostAsJsonAsync(uri, data).Result;
                                break;
                            case ActionType.Post:
                                httpContent = authenticationProvider.SignRequest(client, request, grantResponse);
                                message = client.PostAsync(uri, httpContent).Result;
                                break;
                            case ActionType.PutAsJson:
                                authenticationProvider.SignRequest(client, new EntityJsonRequest {Entity = data},
                                    grantResponse);
                                message = client.PutAsJsonAsync(uri, data).Result;
                                break;
                            case ActionType.Get:
                                authenticationProvider.SignRequest(client, null, grantResponse);
                                message = client.GetAsync(uri).Result;
                                break;

Answer 1

After a lot of testing and research something I tried fixed everything. It seems that something in .NET was caching the SSL Cert.

Steps I did:

• Run windows Update (had a few updates to run). This gave me a different error message than above, but it still contained the error regarding SSL trust issues.
• Checked that SSL and TLS were enabled in the registry (they were). Restarted, same error,
• cleared .net cache, re-deployed, but it still failed.
• re-installed ASP.NET, deleted cert from MMC (Computer/User), ran a few PS scripts to kill IIS cache, added cert as a PFX rather than a .CER, and it worked.