Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

The SSL connection could not be established: System.Security.Authentication.AuthenticationException

Tags:

c#

.net

https

aws-lambda

My server code (running on an AWS Lambda .net Core 3.1) suddenly stopped authenticating with my API server. It has been working for years, but today it stopped working in both production and development environments simultaneously. The Errors I'm getting are

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The relevant source code is

WebRequest httpWebRequest2 = WebRequest.Create(APIurl);
httpWebRequest2.Method = "GET";
httpWebRequest2.Accept = "application/json"
httpWebRequest2.Timeout = 60 * 1000
httpWebRequest2.Headers.Add("Authorization", _APIToken);
WebResponse response = httpWebRequest2.GetResponseAsync().Result;

I'm using letsencrypt to generate certificates, and neither of the certificates -- for my development api url or production api url -- are expired. HTTPS queries succeed in every other platform I've tried.

At this point I don't even know what else to troubleshoot. I can give as much more information as is required.

like image 324
Aaron Gayle Avatar asked Oct 18 '25 07:10

Aaron Gayle

1 Answers

This is an issue with Amazon Linux 2 that Lambda functions utilize to run their runtime environments. As of this posting Amazon Linux 2 utilizes OpenSSL 1.0 (specifically package openssl-1.0.2k-19.amzn2.0.6.x86_64). As of today, September 30th 2021, Let's Encrypt's older certificate from DST Root CA X3 expired has expired and a quirk of this is that the default preferred certificate chain from Let's Encrypt no longer works with OpenSSL 1.0.

You can work around this issue as noted in this post depending on how you generated your Let's Encrypt certificates. For example we utilize CertBot and needed to pass the --preferred-chain 'ISRG Root X1' argument to generate a compatible certificate for OpenSSL 1.0.

Hopefully the underlying runtime environment will be compatible with the default chain preference soon.

like image 178
Brandon Miller Avatar answered Oct 19 '25 22:10

Brandon Miller
Sign in to Comment

Related questions

How to make a tooltip show formatted text? [duplicate]
Exception handling in layered architecture
Is there a direct way to send container logs to azure log analytics workspace from iot edge device?
Writing a list of complex objects to CSV file using CSVHelper
Async OnStartup in a WPF application
'CrossPlatformInputManager' does not exist in the current context
Fastest way to add List<T> contents to ConcurrentQueue<T>
emguCV 3.1 - face detection
How to assign a JSON value to a string variable
Use of UpdateAsync method ASP.NET Entity Framework
C# Add wsse:Security and BinarySecurityToken to Envelope xml file programmatically without Web Reference
Validating collections with FluentValidation
Identity Core with Entity Framework 6
C# WPF - DataGridComboBoxColumn ItemsSource
DKIM - body hash did not verify
Protobuf-net.Grpc Service Contract Inheritance
signalR connection id required in asp.net core
.NET Core console app Dependency Injection setup
Get complete url to a page from global asax
ConcurrentQueue with multithreading

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!