Tech Talk A software developer on all things tech, and then some

21May/131

The remote certificate is invalid according to the validation procedure

Debugging an application which calls another server/service over SSL? If you are using a self signed certificate, most likely you've seen the error message "The remote certificate is invalid according to the validation procedure" before. If you do get this, there are some things you can do so do not fret. First off, do you already have a certificate, but you are getting the error message? Check three main things :

  • The certificate is not expired, or is not yet valid
  • The certificate is signed by a certificate authority
  • The certificate is issued to the same name as your domain

If you have checked these on a valid certificate, or you have a self signed certificate in dev and you need to test something invovling SSL communication on another server (such as sending email, SmtpClient.Send(), etc..), try the following methods to past the errors.

Method 1 : Adding the Certificate to Your Computer

Method one involves saving the certificate to your local computer, instead of the current user, which should make it available to your IIS Services. Note : This is for Windows 7, but other operating systems will be similar

  1. Save the certificate to your computer you need to add the certificate too.
  2. Start -> Run -> MMC This will open the Microsoft Management Console
  3. Go to File -> Add/Remove Snap-in...
  4. Select Certificates from the Available snap-ins: box and click Add >
  5. You will have three options (User,Service,Computer), select Computer account and hit Next >.Hit Finish to close the dialog, and OK to close the snap-in dialog
  6. Right click Trusted Root Certification Authorities -> All Tasks -> Import...
  7. Hit Next >, browse the certificate, and hit next until the dialog closes and you have successfully added the certificate.

Method 2 : ByPassing Certs in Non-Production Code

If you need a quick fix for something that's not externally facing or going to be in production, then you can use the following code from this StackOverflow.com Question. Please note though this will accept all certificates if the user presses yes. You have been warned.

ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);

public static bool ValidateServerCertificate(object sender,X509Certificate certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
        return true;
    else
    {
    if (System.Windows.Forms.MessageBox.Show("The server certificate is not valid.\nAccept?", "Certificate Validation",     System.Windows.Forms.MessageBoxButtons.YesNo, System.Windows.Forms.MessageBoxIcon.Question) == System.Windows.Forms.DialogResult.Yes)
        return true;
    else
        return false;
    }
    }

Method 3 : ByPassing Certs in Web.Config

The last method I have is to add the following to the web config somewhere within the configuration section. Please note that like above, this will accept all certificates. This should only be used for internal/test machines and never in production.

  <system.net>
    <settings>
      <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false" />
    </settings>
  </system.net>

Method 4 : Run a Trace

If all else fails, there is a trace you can run which will return the root cause of the certificate error. (Code taken from Jeff Sander's favorite trace)

<configuration>
    <system.diagnostics>
        <trace autoflush="true" />
                <sources>
                <source name="System.Net">
                        <listeners>
                <add name="System.Net"/>
                        </listeners>
                </source>
                <source name="System.Net.HttpListener">
                        <listeners>
                <add name="System.Net"/>
                        </listeners>
                </source>
        <source name="System.Net.Sockets">
                        <listeners>
                <add name="System.Net"/>
                        </listeners>
                </source>
        <source name="System.Net.Cache">
                        <listeners>
                <add name="System.Net"/>
                        </listeners>
                </source>
                </sources>
        <sharedListeners>
                <add
                 name="System.Net"
                 type="System.Diagnostics.TextWriterTraceListener"
                  initializeData="System.Net.trace.log"
                 traceOutputOptions = "ProcessId, DateTime"
                />
        </sharedListeners>
    <switches>
        <add name="System.Net" value="Verbose" />
        <add name="System.Net.Sockets" value="Verbose" />
        <add name="System.Net.Cache" value="Verbose" />
        <add name="System.Net.HttpListener" value="Verbose" />
    </switches>
    </system.diagnostics>
</configuration>

Add this to your web config, make sure your network service has full access to where you are writing the log to, (Change initializeData="System.Net.trace.log" to location), then fire away.
Hope this helps! Happy Coding!

Comments (1) Trackbacks (0)
  1. //Add this line to bypass the certificate validation
            System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(object s,
                    System.Security.Cryptography.X509Certificates.X509Certificate certificate,
                    System.Security.Cryptography.X509Certificates.X509Chain chain,
                    System.Net.Security.SslPolicyErrors sslPolicyErrors)
                    {
                        return true;
                    };


Leave a Reply

No trackbacks yet.

%d bloggers like this: