Could not establish trust relationship for the SSL/TLS secure channel: The remote certificate is invalid according to the validation procedure

Question

I have an asp.net mvc web app that has been running in production for about 4 years. Suddenly since about a week ago, I am getting this error being returned for all calls to 3rd-party secure API's:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

This is for calls to SendGrid for sending emails, calls to Azure Blob Storage for uploading of documents, calls to Connect.io for logging.

I have managed to resolve the Azure Blob Storage problem temporarily by changing the connection string to use http instead of https.

Clearly something has broken on my app server, and I have no idea where to start looking.

Please help.

Edit: Turns out I was using a sample library provided by one of my (lesser-used) 3rd party API's, and this library had an override of System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) which had it's own logic about what constitutes a valid certificate!!! AARGH!

Answer 1

This part become key information for your problem:

I am getting this error being returned for all calls to 3rd-party secure API's

According to MSDN blog:

This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

Because it seems that one or more third party certificates are rejected, you may configure Trusted Roots part of your certificate trust lists to include all required third party CA as part of chain to work with secure APIs from trusted sources, including reissued certificates if any.

Further details: https://technet.microsoft.com/en-us/library/dn265983.aspx

NB (Optional):

As temporary measure, you can implement this certificate validation handler in WebRole.cs until all related third-party certificates has reissued (remember this setting will trust all issued certificates, hence it's not recommended for long term usage):

System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

Additional reference: http://robertgreiner.com/2013/03/could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel/

Answer 2

Similar thing happened in our system. Our problem was TLS version. The SSL offload appliance was configured to accept only TLS 1.2. One week ago this configuration accepted all TLS versions 1.0 to 1.2.

We had to reconfigure .NET's SecurityProtocol settings like:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12; 

You can use this site to test which TLS version you are using: https://www.ssllabs.com/ssltest/index.html