Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WebException Could not establish trust relationship for the SSL/TLS secure channel

My company has developed a .NET web service and a client dll that uses that web service. The webservice is hosted on our server over ssl and the cert is provided and signed by GoDaddy. We have some clients in a hosted environment that are getting the following error message from the client dll when it tries to access our web service.

System.Net.WebException The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Our fix has been to have them open IE on the server, which is a challenge in and of itself for a lot of the hosted services, and go to the WSDL url. IE then prompts them with a security alert dialog. It says the cert date is valid and a valid name matching the name of the page, but was issued by a company you have not chosen to trust. When they click Yes to proceed, the client dll can then succesfully connect to the web service and operate as normal.

Does anyone have any idea why GoDaddy would not have been in there valid publishers list? All of the servers we have running has GoDaddy as a valid authority. I'm guessing, for security reasons, they've uninstalled the authority for GoDaddy, but not totally convinced that there's not some other underlying issue.

Unfortunately, I haven't had much luck trying to recreate this locally. If I go into Internet Options and remove the GoDaddy authorities and hit our service, ssl works just fine. I go back into the list of publishers and GoDaddy gets put right back in. So my second question is, How the heck do you get rid of GoDaddy so I can get an invalid cert warning?

Okay, last question. Is there a way in code I can tell the web service to ignore invalid certs. I've seen some posts on doing this programatically with WCF but not old web services.

like image 374
Joshua Belden Avatar asked Dec 20 '10 18:12

Joshua Belden


People also ask

How do you establish trust relationship for SSL TLS secure channel?

Go to Central Administration =>Security =>Manage Trust. In the ribbon interface, go to Trust Relationships Tab =>Manage group =>Click on New button. In the Root Certificate to trust relationship section, click on Browse. Select the certificate that we have exported.

How do you fix could not establish secure channel for SSL TLS with authority?

A common reason you may receive the error Could not establish trust relationship for the SSL/TLS secure channel is because the SSL certificate isn't trusted. If the SSL certificate is not trusted, you will need to install the SSL certificate's root certificate.

Can't establish trust relationship for SSL TLS secure channel remote certificate is invalid?

This error typically indicates the SSL certificate is expired or is not configured properly for the domain of the Raiser's Edge Web Certificate.

What is SSL TLS secure channel?

TLDR: SSL/TLS encrypts communications between a client and server, primarily web browsers and web sites/applications. SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS (Transport Layer Security) encryption, protect data sent over the internet or a computer network.


2 Answers

I fixed this error by adding this line before calling the web method:

System.Net.ServicePointManager.ServerCertificateValidationCallback = (senderX, certificate, chain, sslPolicyErrors) => { return true; };
like image 179
Amit Avatar answered Oct 27 '22 22:10

Amit


You may need to install on your servers the intermediate certificates used to sign your SSL certs.

Browsers will attempt to validate the SSL certificate by checking the validation of the chain of certs that signed the SSL cert. If the server doesn't supply the certificate chain with the SSL certificate, the browser may reject the SSL cert. (More of an issue for Firefox than IE). The root certificate must still be installed on the client machine for any of this to work.

like image 7
dthorpe Avatar answered Oct 27 '22 22:10

dthorpe