0

I need to connect to an endpoint and pass the certification for validation (on their end). Following this gives me this code:

using var cert = new X509Certificate2(pathToCert);
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(cobCert);
var client = new HttpClient(handler);
var response = await client.PostAsync(url, new StringContent(json, Encoding.UTF8, "application/json"));

This returns the following error:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

What is the correct way to handle this?

Note: The actual app will use IHttpClientFactory but currently creating the HttpClient for testing.

Edit: Sorry forgot to say, that this endpoint with this cert works in Postman

Xaphann
  • 3,195
  • 10
  • 42
  • 70
  • 1
    This has nothing to do with certificate validation. The error complains that the *server certificate is invalid*. Perhaps it has expired or revoked. Self-signed certificates are invalid by definition because they aren't signed by a trusted authority. Is that the case here? – Panagiotis Kanavos Nov 25 '21 at 17:03
  • 1
    To use a self-signed certificate without compromising security is to *trust* it. The .NET Core SDK will add the self-signed certificate used by .NET Core projects to the trusted certificates of the local machine. On other machines you can navigate to the API URL with a browser, click on the warning that appears at the left of the address bar and trust the certificate – Panagiotis Kanavos Nov 25 '21 at 17:05
  • 1
    *DO NOT* disable certificate validation. That would be equivalent to disabling HTTPS. HTTPS isn't used to encrypt the connection, it's used to ensure that no other server gets "in the middle" of the client and server. It does that by ensuring the remote server is who its certificate says it is. Obviously, the certificate needs to be valid - which means it's signed by a trusted source. Without validation someone could add a malicious proxy to your network that would pose as the remote server, intercept your calls and send them to the remote server – Panagiotis Kanavos Nov 25 '21 at 17:08
  • @PanagiotisKanavos it was the trust root authority was the issue. If you put that as answer I will mark it – Xaphann Nov 25 '21 at 17:10

1 Answers1

1

The error complains that the server certificate is invalid. Perhaps it has expired or revoked. Sometimes the root authority certificate itself is compromised and revoked. This is rare but it has happened in the past.

Perhaps a test server uses a self-signed certificate for development. Self-signed certificates are invalid by definition because they aren't signed by a trusted authority.

HTTPS isn't used to encrypt the connection, it's used to ensure that no other server gets "in the middle" of the client and server. It does that by ensuring the remote server is who its certificate says it is. Obviously, the certificate needs to be valid - which means it needs to be signed by a trusted source. Without validation someone could add a malicious proxy to your network that would pose as the remote server, intercept your calls and send them to the remote server.

If the server service has expired or been revoked, the server admin will have to renew it.

To use a self-signed certificate without compromising security is to trust it. The .NET Core SDK will add the self-signed certificate used by .NET Core projects to the trusted certificates of the local machine. On other machines you can navigate to the API URL with a browser, click on the warning that appears at the left of the address bar and trust the certificate

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236