Jeff Sanders Technical Blog

I am a Microsoft employee that has worked on all aspects of the Web Stack for a long time. I hope these blogs are useful to you! Use this information at your own risk.


<< Go Back

Troubleshooting Asp Net The Remote Certificate Is Invalid According To The Validation Procedure

- 16 Sep 2009

This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request.  The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

Example 1 – Root Certificate only (self signed certificate in this case)

Step 1 – Validate the certificate, any intermediate certificates and the root certificate

One super handy and technical tool to help you do this first step is Internet Explorer.  Simply try to hit the same URL that your ASP.NET web application tries to hit when it gets this error.  For example, type in to the browser the path to the .asmx file and see what Internet Explorer says about the certificate.

This would be a bad sign:

image

If Internet Explorer has certificate problems, chances are you will have problems with the HttpWebRequest (or Web Service) call as well.  The easiest fix is to install a valid certificate for the server, the root authority and all intermediate authorities.  Then go back and verify Internet Explorer can access the https site with no errors at all.

If you continue to the site using Internet Explorer, sometimes you can diagnose the certificate problem by viewing the certificate.  In this example the problem is spelled out for me when I typed in https://jsanders4.

image

So in my case, it appears that the I simply need to install the certificate in the ‘Trusted Root Certification Authorities’ store.  So indeed I do this!

image  image  image

But I still got the certificate error…  To avoid a long discussion about this, the problem is simple.  I typed in https://jsanders4 but note the certificate is for the full domain name of this machine.  If I instead browse to https://jsanders4.northamerica.corp.microsoft.com then I get no certificate error.  Now that I am sure I can browse ok to the site with no certificate errors using Internet Explorer.

You would continue to solve problems with the other Certificates in the Certificate chain by using Internet Explorer until they are all resolved.  For example, perhaps the certificate is expired, or the Intermediate Authority is not in the Intermediate Certificate Authorities store (a very common one).  Once you have resolved all errors with Internet Explorer your are only half way finished.  You need to get the same information into the Local Computer store.

Step 2 – Troubleshoot the ASP.NET problem

I try my ASP.NET application and try to access the same site.  I get this error: ‘The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.’

But Internet Explorer was fine…

The next step should be to get a System.Net trace.  To do this open the Web.Config for the troubled ASP.NET application and see if there is a section in the file.  If there is, add the contents inside the tags from this blog: [http://blogs.msdn.com/jpsanders/archive/2009/03/24/my-favorite-system-net-trace-configuration-file-dumps-process-id-and-date-time-information.aspx](http://blogs.msdn.com/jpsanders/archive/2009/03/24/my-favorite-system-net-trace-configuration-file-dumps-process-id-and-date-time-information.aspx "http://blogs.msdn.com/jpsanders/archive/2009/03/24/my-favorite-system-net-trace-configuration-file-dumps-process-id-and-date-time-information.aspx").  If it does not exist, add the entire contents before the closing tag of the Web.Config.  Now edit this line:   initializeData=”System.Net.trace.log”  You must ensure that the Network Service a ccount can write this .log so change this entry to a folder that the Network Service account can write to.  For example, I created a folder c:\mylogs and assigned the Network Service account FULL privileges.  Then changed this setting to initializeData=”c:\mylogs\System.Net.trace.log”

I ran the asp.net application and saw at the end of the log file (c:\mylogs\System.Net.trace.log) this information:

System.Net Information: 0 : [0880] SecureChannel#14701405 – Remote certificate has errors:
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Information: 0 : [0880] SecureChannel#14701405 –     A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Information: 0 : [0880] SecureChannel#14701405 – Remote certificate was verified as invalid by the user.
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net.Sockets Verbose: 0 : [0880] Socket#26833123::Dispose()
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Error: 0 : [0880] Exception in the HttpWebRequest#31364015:: – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z

This is the key to this particular problem:  A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

However I thought I just added this certificate trough Internet Explore to my Trusted Root Authorities!  In reality I simply added it so the store of the logged on user.  ASP.NET is running in the local machine context.  To resolve this, start MMC (Windows key + R and type MMC) and add the following snap-ins:

image image image

And ensure you see the ‘Current User’ and ‘(Local Computer)’ Certificates listed (then hit OK):

image

In the console expand the ‘Current User’ Trusted Root store and you see I have the certificate stored there.  However expanding the ‘(Local Computer)’ trusted root, it is NOT there:

image image

Simply Copy (do not Drag and drop) the jsanders4 certificate from the Current User\Trusted Root store to the (Local Computer)\Trusted Root store and retest. 

image image

Success!

Example 2 – Intermediate Certificate Authorities Involved

This next example is a bit manufactured but illustrates a problem that I have had to help solve a few times.  The trouble shooting steps remain the same, but in this case there are one or more intermediate certificates.  This intermediate certificates should be in the ‘Intermediate Certification Authorities’ store to resolve this problem Take a look at the certificate chain for https://www.microsoft.com (you do this by clicking on the padlock icon in Internet Explorer and choosing the Certification Path tab:

image 

For the purpose of this example, assume that the three certificates that are not highlighted all have a warning icon next to them indicating a problem.

Step 1 – Validate the certificate, any intermediate certificates and the root certificate

Note: For Internet Explorer there actually was no problem with the certification path.  The four certificates show no warning icons.  For this example, let’s say that the ‘GTE CyberTrust Global Root’, ‘Microsoft Internet Authority’ and ‘Microsoft Secure Server Authority’ certificates were all missing from my ‘Current User’ stores.  The steps below are contrived from this assumption.

To fix this I add the ‘GTE CyberTrust Global Root’ cert to the ‘Trusted Root Certification Authorities’ Store and the other two certificates to the ‘Intermediate Certification Authorities’ store of the Current User.  Test with IE again and Internet Explorer shows no problem after installing the certificates.  Next when I tested the ASP.NET application I got an error (because I did not add these certificates to the same stores in the (Local Computer) store).

Step 2 – Troubleshoot the ASP.NET problem

From the first example I was smart enough to copy the ‘GTE CyberTrust Global Root’ certificate to the ‘(Local Computer)’ trusted root store but I still have an error!

The ASP.NET program now has an error: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Again taking the System.Net trace you see an error towards the end of the file in these entries:

Remote certificate has errors:
A certificate chain could not be built to a trusted root authority.
Remote certificate was verified as invalid by the user.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

This entry is the key: ‘A certificate chain could not be built to a trusted root authority.’  This means that a certificate before the Root Authority is not in the ‘(Local Computer) Intermediate Certification Authorities’ store.  Once the two intermediate certificates are copied to the Intermediate store from the Current User intermediate store the problem is solved!

I hope this blog helped you get to the root of your problem.  If this was helpful please leave me a comment!

<< Go Back