How to solve "Could not establish trust relationship for the SSL/TLS secure channel with authority"
I have a WCF service hosted in IIS 7 using HTTPS. When I browse to this site in Internet Explorer, it works like a charm, this is because I have added the certificate to the local root certificate authority store.
I'm developing on 1 machine, so client and server are same machine. The certificate is self-signed directly from IIS 7 management snap in.
I continually get this error now...
Could not establish trust relationship for the SSL/TLS secure channel with authority.
... when called from client console.
I manually gave myself permissions and network service to the certificate, using findprivatekey
and using cacls.exe
.
I tried to connect to the service using SOAPUI, and that works, so it must be an issue in my client application, which is code based on what used to work with http.
Where else can I look I seem to have exhausted all possibilities as to why I can't connect?
Solution 1:
As a workaround you could add a handler to the ServicePointManager
's ServerCertificateValidationCallback
on the client side:
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
(se, cert, chain, sslerror) =>
{
return true;
};
but be aware that this is not a good practice as it completely ignores the server certificate and tells the service point manager that whatever certificate is fine which can seriously compromise client security. You could refine this and do some custom checking (for certificate name, hash etc). at least you can circumvent problems during development when using test certificates.
Solution 2:
When I have this problem it is because the client.config had its endpoints like:
https://myserver/myservice.svc
but the certificate was expecting
https://myserver.mydomain.com/myservice.svc
Changing the endpoints to match the FQDN of the server resolves my problem. I know this is not the only cause of this problem.
Solution 3:
Your problem arises because you're using a self signed key. The client does not trust this key, nor does the key itself provide a chain to validate or a certificate revocation list.
You have a few options - you can
turn off certificate validation on the client (bad move, man in the middle attacks abound)
use makecert to create a root CA and create certificates from that (ok move, but there is still no CRL)
create an internal root CA using Windows Certificate Server or other PKI solution then trust that root cert (a bit of a pain to manage)
purchase an SSL certificate from one of the trusted CAs (expensive)