Troubleshooting ASP.NET – The remote certificate is invalid according to the validation procedure


This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request.  The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

Example 1 – Root Certificate only (self signed certificate in this case)

Step 1 – Validate the certificate, any intermediate certificates and the root certificate

One super handy and technical tool to help you do this first step is Internet Explorer.  Simply try to hit the same URL that your ASP.NET web application tries to hit when it gets this error.  For example, type in to the browser the path to the .asmx file and see what Internet Explorer says about the certificate.

This would be a bad sign:

image

If Internet Explorer has certificate problems, chances are you will have problems with the HttpWebRequest (or Web Service) call as well.  The easiest fix is to install a valid certificate for the server, the root authority and all intermediate authorities.  Then go back and verify Internet Explorer can access the https site with no errors at all.

If you continue to the site using Internet Explorer, sometimes you can diagnose the certificate problem by viewing the certificate.  In this example the problem is spelled out for me when I typed in https://jsanders4.

image

So in my case, it appears that the I simply need to install the certificate in the ‘Trusted Root Certification Authorities’ store.  So indeed I do this!

image  image  image

But I still got the certificate error…  To avoid a long discussion about this, the problem is simple.  I typed in https://jsanders4 but note the certificate is for the full domain name of this machine.  If I instead browse to https://jsanders4.northamerica.corp.microsoft.com then I get no certificate error.  Now that I am sure I can browse ok to the site with no certificate errors using Internet Explorer.

You would continue to solve problems with the other Certificates in the Certificate chain by using Internet Explorer until they are all resolved.  For example, perhaps the certificate is expired, or the Intermediate Authority is not in the Intermediate Certificate Authorities store (a very common one).  Once you have resolved all errors with Internet Explorer your are only half way finished.  You need to get the same information into the Local Computer store.

Step 2 – Troubleshoot the ASP.NET problem

I try my ASP.NET application and try to access the same site.  I get this error: ‘The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.’

But Internet Explorer was fine…

The next step should be to get a System.Net trace.  To do this open the Web.Config for the troubled ASP.NET application and see if there is a <configuration> section in the file.  If there is, add the contents inside the <configuration> </configuration> tags from this blog: http://blogs.msdn.com/jpsanders/archive/2009/03/24/my-favorite-system-net-trace-configuration-file-dumps-process-id-and-date-time-information.aspx.  If it does not exist, add the entire contents before the closing tag of the Web.Config.  Now edit this line:   initializeData=”System.Net.trace.log”  You must ensure that the Network Service account can write this .log so change this entry to a folder that the Network Service account can write to.  For example, I created a folder c:\mylogs and assigned the Network Service account FULL privileges.  Then changed this setting to initializeData=”c:\mylogs\System.Net.trace.log”

I ran the asp.net application and saw at the end of the log file (c:\mylogs\System.Net.trace.log) this information:

System.Net Information: 0 : [0880] SecureChannel#14701405 – Remote certificate has errors:
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Information: 0 : [0880] SecureChannel#14701405 –     A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Information: 0 : [0880] SecureChannel#14701405 – Remote certificate was verified as invalid by the user.
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net.Sockets Verbose: 0 : [0880] Socket#26833123::Dispose()
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z
System.Net Error: 0 : [0880] Exception in the HttpWebRequest#31364015:: – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    ProcessId=5700
    DateTime=2009-09-16T12:54:06.5718699Z

This is the key to this particular problem:  A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

However I thought I just added this certificate trough Internet Explore to my Trusted Root Authorities!  In reality I simply added it so the store of the logged on user.  ASP.NET is running in the local machine context.  To resolve this, start MMC (Windows key + R and type MMC) and add the following snap-ins:

image image image

And ensure you see the ‘Current User’ and ‘(Local Computer)’ Certificates listed (then hit OK):

image

In the console expand the ‘Current User’ Trusted Root store and you see I have the certificate stored there.  However expanding the ‘(Local Computer)’ trusted root, it is NOT there:

image image

Simply Copy (do not Drag and drop) the jsanders4 certificate from the Current User\Trusted Root store to the (Local Computer)\Trusted Root store and retest. 

image image

Success!

Example 2 – Intermediate Certificate Authorities Involved

This next example is a bit manufactured but illustrates a problem that I have had to help solve a few times.  The trouble shooting steps remain the same, but in this case there are one or more intermediate certificates.  This intermediate certificates should be in the ‘Intermediate Certification Authorities’ store to resolve this problem Take a look at the certificate chain for https://www.microsoft.com (you do this by clicking on the padlock icon in Internet Explorer and choosing the Certification Path tab:

image 

For the purpose of this example, assume that the three certificates that are not highlighted all have a warning icon next to them indicating a problem.

Step 1 – Validate the certificate, any intermediate certificates and the root certificate

Note: For Internet Explorer there actually was no problem with the certification path.  The four certificates show no warning icons.  For this example, let’s say that the ‘GTE CyberTrust Global Root’, ‘Microsoft Internet Authority’ and ‘Microsoft Secure Server Authority’ certificates were all missing from my ‘Current User’ stores.  The steps below are contrived from this assumption.

To fix this I add the ‘GTE CyberTrust Global Root’ cert to the ‘Trusted Root Certification Authorities’ Store and the other two certificates to the ‘Intermediate Certification Authorities’ store of the Current User.  Test with IE again and Internet Explorer shows no problem after installing the certificates.  Next when I tested the ASP.NET application I got an error (because I did not add these certificates to the same stores in the (Local Computer) store).

Step 2 – Troubleshoot the ASP.NET problem

From the first example I was smart enough to copy the ‘GTE CyberTrust Global Root’ certificate to the ‘(Local Computer)’ trusted root store but I still have an error!

The ASP.NET program now has an error: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Again taking the System.Net trace you see an error towards the end of the file in these entries:

Remote certificate has errors:
A certificate chain could not be built to a trusted root authority.
Remote certificate was verified as invalid by the user.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

This entry is the key: ‘A certificate chain could not be built to a trusted root authority.’  This means that a certificate before the Root Authority is not in the ‘(Local Computer) Intermediate Certification Authorities’ store.  Once the two intermediate certificates are copied to the Intermediate store from the Current User intermediate store the problem is solved!

I hope this blog helped you get to the root of your problem.  If this was helpful please leave me a comment!

Comments (40)

  1. smita says:

    Thanks Jeff,

    This soulution is really very helpful.

  2. Martin says:

    One more thing to check when playing with certificates is the dates. I had a client computer that has a bad battery on the motherboard. It would lose the current date and time when there was a power outage.

    When the power came on, someone set the day, month, and time. They forgot about the year. Every secure website started failing because the certificates weren’t valid way back when.

  3. jpsanders says:

    Excellent point Martin!  IE will show this as an error and you should be able to see this readily.  However, if you did not think to look at the system date/time (why would you) you would never be able to figure out what the problem was.

    Thanks!

  4. Fatih CEVIK says:

    thanks so much.colved my problem also.Excellent work;)

  5. Raymond Lee says:

    This is great. It helps me to fix the testing problem in self-signed certificate environment

  6. Mark says:

    Life Saver!!!

    Excellent solution. Thank you.

  7. Ted says:

    You are a star— jpsanders!!

    Thanks a lot for sharing!!

  8. jpsanders says:

    I am glad it helped!

  9. miagale says:

    Hi jpsanders,  well written article , It helped me a lot to resolve my issues

  10. Hi jpsanders,  well written article , It helped me a lot to resolve my issues

  11. Faith says:

    Thanks, this instruction is very useful. I used it for one of our customer having exact same issue.

    Again thanks.

  12. John says:

    Not fixed my issue, my trace returns an "Unknown Error", if i disable validation then the request works but not happy hacking the code.

    [Public Key]

     Algorithm: RSA

     Length: 2048

     Key Blob: 30 82 01 0a 02 82 01 01 00 f6 c9 3c 37 2f 66 87 a4 0e 55 8b 78 02 d0 ….

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.0860000Z

    System.Net Information: 0 : [3356] SecureChannel#59350701 – Remote certificate has errors:

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

    System.Net Information: 0 : [3356] SecureChannel#59350701 – Unknown error.

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

    System.Net Information: 0 : [3356] SecureChannel#59350701 – Remote certificate was verified as invalid by the user.

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

    System.Net.Sockets Verbose: 0 : [3356] Socket#41609146::Dispose()

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

    System.Net Error: 0 : [3356] Exception in the HttpWebRequest#60974018:: – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

    System.Net Error: 0 : [3356] Exception in the HttpWebRequest#60974018::EndGetRequestStream – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

       ProcessId=2204

       DateTime=2011-05-09T12:09:15.1328750Z

  13. jpsanders says:

    Hi John,

    I am not sure what the problem is from the data you provided.  I assume you tried all the troubleshooting in the blog (this solves almost all issues). If IE is fine and you were able to verify all the steps in this blog and still cannot resolve this, I would suggest CApi2 logging: http://www.microsoft.com/…/details.aspx  

    If that does not reveal the issue I would suggest going to support.microsoft.com/oas and opening a support case.

  14. ET says:

    Excellent article. In our case, we had a certificate installed for Local user to a remote SSL site. IE connected fine, but ASP apps didn't. Step 2 sorted out our problem in no uncertain terms. Thanks!

  15. CRB says:

    Hi,

    I am also having a problem with SSL certificate since last few days.  So, to get to the root cause I have developed two utilities.  One is a ASP.net app and another is a console app.  The console app is working fine but the same code in ASP.net app is giving error "The remote certificate is invalid according to the validation procedure"  I had enabled .Net tracing using the instructions you had provided.  I get following entries in the trace.  I tried to install the chain of the certificates but it still does not work.  Any help will be greatly appreciated.

    System.Net Information: 0 : [9224] SecureChannel#31950310 – Remote certificate has errors:

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

    System.Net Information: 0 : [9224] SecureChannel#31950310 – A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

    System.Net Information: 0 : [9224] SecureChannel#31950310 – Remote certificate was verified as invalid by the user.

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

    System.Net.Sockets Verbose: 0 : [9224] Socket#48611003::Dispose()

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

    System.Net Error: 0 : [9224] Exception in the HttpWebRequest#42931033:: – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

    System.Net Error: 0 : [9224] Exception in the HttpWebRequest#42931033::EndGetResponse – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

       ProcessId=8024

       DateTime=2011-12-08T07:24:51.9580043Z

  16. jpsanders says:

    Hello CRB,

    Installing the Chain should solve the issue!  The other possibility is that the account ASP.NET is using cannot access the registry.  You can use ProcessMonitor (ProcMon) to see if asp.net is denied access to the certificate store.  You could also try and download the cert chain from the cert authority following these instructions: technet.microsoft.com/…/dd441378(office.13).aspx

    If these steps don't help you can try asp.net forums: http://forums.asp.net/ and support.microsoft.com/oas for help.

    Good luck and you may help others if you post your solution here!

    -Jeff

  17. Bob says:

    The SSL worked all computers it was installed but ONE however I couldn't figure out what I had done differently.  After moving the Root Cert to the proper location as you described it began working.  Thanks you saved me hours of frustration.

  18. Purushothaman Rajagopalan says:

    <settings>

         <servicePointManager checkCertificateName="false"/>

    </settings>

    Add it in the web.config

    weblogs.asp.net/…/213469.aspx

    This works very well

  19. Mathan P says:

    Thanks a lot for your help.

  20. RobbyeRob says:

    I am having all kinds of woes with this and I performed your steps.  To my surprise it did not work.

    I still get an error  "The remote certificate is invalid according to the validation procedure."

    This is not true, as it does in fact work for my other WCF applications that I had originally created this certificate for.  I started working on another WCF project that already existed and I cannot get passed this validation.  How do you start to fix this?

  21. jpsanders says:

    This is fairly straight forward so if these steps did not help, I suggest you contact support here:

    http://support.microsoft.com/

    -Jeff

  22. Alternatively, after all that troubleshooting where the Root and Intermediate certificates are all updated and beautiful, and you can call the web service in IE properly without concern… …you ultimately use WireShark to determine that the user was not ever calling the web service that they thought.  

    :: facepalm ::

  23. In extension to this article information, to obtain the certificate from the site if there is an error with it, you need to click "Continue to this website (not recommended)" then in the URL bar for IE10 will appear "(x) Certificate error" – click on that, then click on "View certificate". This gets you to the certificate dialog from which the blog author is installing the cert locally.

  24. Tatu V says:

    We had a similar problem like in John's case: "Unknown error". Certification path was valid from root to intermediate, but the client certificate was invalid. The problem was in the signature algorithm the certificate was made with (sha256rsa). Our Windows 2003 Server did not understand it so it showed as invalid and the signature algorithm was just a punch of numbers. When we applied this hotfix (support.microsoft.com/…/968730) the sertificate was shown as valid. Hope this helps someone in the future.

  25. Chris Olson says:

    Just wanted to say thank for you this great and informative article.  Have spent days trying to work out this certificate issue, and suggestion after suggestion fell flat.  Was honestly thinking about having to redesign our process in much clunkier and less efficient way, but I really didn't want the failing to be something that I knew should work but we just couldn't figure out.

    I actually came across this article a couple days ago but had other work issues to attend to, and just had it sitting open in a browser.  I finally got a chance to go through the steps this morning, and when I read about the ASP.Net running under local computer (and the fact that we were missing the certificate there when I brought up the MMC console), I was this strange feeling that this was going to work.

    And it did.  I pushed refresh, and turned my back for 15 seconds, I couldn't look because I knew this was about the last chance.  I turned back around, and there, sitting on our production box, was the website, no errors.  I have to say, this is going to make a very happy Thanksgiving (and birthday!) for me tomorrow.

    Thank you EXTREMELY much for this article, not only did it solve my problem, it also was very informative and actually pointed out exactly what was wrong.  I would send you a holiday present if I could, but instead I wish you happy holidays and thank you!

  26. jpsanders says:

    Hi Chris!

    Your thanks is enough of a present my friend.  Happy Holidays to you too!

    Jeff

  27. Brad B says:

    This article was very helpful and informative, and is still helping people 4 years after initially published! Thank you for taking the time to write it!

  28. Thomas says:

    Another cause of this is having both Anonymous & Basic authentication enabled on your site in IIS, disable basic to overcome this issue.

  29. niran says:

    hi,

    my exeption is a bit different…

    can you please help me to try and solve this?

    [Extensions]

    * Certificate Template Name(1.3.6.1.4.1.3….

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.7684595Z

    System.Net Information: 0 : [10424] SecureChannel#53880585 – Remote certificate has errors:

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.7714598Z

    System.Net Information: 0 : [10424] SecureChannel#53880585 – Certificate name mismatch.

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.7724599Z

    System.Net Information: 0 : [10424] SecureChannel#53880585 – Remote certificate was verified as invalid by the user.

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.7744601Z

    System.Net.Sockets Verbose: 0 : [10424] Socket#39688946::Dispose()

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.8574684Z

    System.Net Error: 0 : [10424] Exception in HttpWebRequest#55243697:: – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.8594686Z

    System.Net Error: 0 : [10424] Exception in HttpWebRequest#55243697::GetResponse – The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..

       ProcessId=9092

       DateTime=2014-01-26T20:06:23.8614688Z

  30. jpsanders says:

    Hi Niran,

    Your problem is in the errors you listed: Certificate name mismatch

    That means your request in code was to a host (for example http://www.contoso.com) but the name on the certificate did not match the name of the host: (www.spoofesite4.com)

    Jeff

  31. A says:

    Excellent. This article was very informative and solved connectivity issues for me

  32. Wondwossen Tedla says:

    Just insert the code below on the first line of  of page load

    protected void Page_Load(object sender, EventArgs e)

           {

               System.Net.ServicePointManager.ServerCertificateValidationCallback =

                ((sender1, certificate, chain, sslPolicyErrors) => true);

          // Call to any method that will use the service    

    BindDataList();

           }

  33. Najeesh says:

    Thank you somuch Jeff……. Thank you somuch……

  34. Najesh says:

    Thank you somuch Jeff, Thank you. Excellent work…….

  35. JC says:

    Thanks a lot!!

  36. Sumanth says:

    Awesome dear.. you saved my day.. Thank a ton

  37. Pablo D. Guillen says:

    Muchas muchas gracias.

    thank you very much

  38. Mathan says:

    Very good solution. Thanks for your great help

  39. sudhan says:

    Thank you somuch……