Remote certificate was verified as invalid by the user

Question

In an azure virtual machine, I have a web application and a sub web application with FormsAuthentication and HTTPS configured with a valid certificate. Authentication is shared between main application and sub application with the same machine key. SSL is required on the two applications

All it's Ok from outside with the public url.

I need to send some requests from the main application to the sub application with the public name for configuration purpose (the sub application could be installed on another server). These requests use a specific account for identification.

This is my code to send request from main application to sub application, this.WebApiUrl is the public url:

// If we are not authenticated
if(!isAuthenticated)
{
    // Check user and login
    if(!User.Check(this.WebApiLogin, this.WebApiPassword))
        throw new Exception("Unauthorized user");
            
    isAuthenticated = true;
}
// Convert HttpCookie to Cookies
var cookies = FormsAuthentication.GetAuthCookie(this.WebApiLogin, false).ToCookies();
// Create request with the authentication cookie
Uri baseAddress = new Uri(this.WebApiUrl);
CookieContainer cookieContainer = new CookieContainer();
foreach(var cookie in cookies)
{
    if(String.IsNullOrEmpty(cookie.Domain))
        cookie.Domain = baseAddress.Host;
    if(baseAddress.Scheme == "https")
        cookie.HttpOnly = false;

    cookieContainer.Add(cookie);
}

// send request
using(HttpClientHandler handler = new HttpClientHandler() { CookieContainer = cookieContainer })
{
    using(HttpClient client = new HttpClient(handler))
    {
        client.BaseAddress = baseAddress;
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

        return client.GetStringAsync(requestUri).Result;
    }
}

All it's Ok without ssl. When i active ssl, the request between the main application and the subdomain application fail with

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

Here is the System Logs from System.Net and System.Net Sockets.

System.Net Information: 0 : [10788] SecureChannel#92992 - Remote certificate was verified as invalid by the user.

System.Net.Sockets Verbose: 0 : [10788] Socket#29502801::Dispose()

System.Net Error: 0 : [10788] Exception in HttpWebRequest#61435094:: - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

System.Net Verbose: 0 : [10788] HttpWebRequest#61435094::EndGetResponse()

System.Net Error: 0 : [10788] Exception in HttpWebRequest#61435094::EndGetResponse - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

What is strange it is the log doesn't say why the certificate was verified as invalid by the user. althougth this certificate is valid for the request from outside.

Important : I don't want a solution with ServicePointManager.ServerCertificateValidationCallback because it's in a production environment

Thanks for you help

Answer 1

Are you providing a ServerCertificateValidationCallback anywhere else in your code?

We had a logical flaw in a callback that we implemented which was whitelisting specified domains with self-signed certificates. Namely, the callback was always executing - even for valid certificates - but only applying the whitelisting logic. Because legitimate certificates weren't in this list, the callback was indicating failure.

This was resolved by returning early based on the error variable:

if (error == SslPolicyErrors.None) return true;