How to solve "Could not establish trust relationship for the SSL/TLS secure channel with authority"

.net certificate iis wcf

I have a WCF service hosted in IIS 7 using HTTPS. When I browse to this site in Internet Explorer, it works like a charm, this is because I have added the certificate to the local root certificate authority store.

I'm developing on 1 machine, so client and server are same machine. The certificate is self-signed directly from IIS 7 management snap in.

I continually get this error now...

Could not establish trust relationship for the SSL/TLS secure channel with authority.

... when called from client console.

I manually gave myself permissions and network service to the certificate, using findprivatekey and using cacls.exe.

I tried to connect to the service using SOAPUI, and that works, so it must be an issue in my client application, which is code based on what used to work with http.

Where else can I look I seem to have exhausted all possibilities as to why I can't connect?


Solution 1:

As a workaround you could add a handler to the ServicePointManager's ServerCertificateValidationCallback on the client side:

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    (se, cert, chain, sslerror) =>
        {
            return true;
        };

but be aware that this is not a good practice as it completely ignores the server certificate and tells the service point manager that whatever certificate is fine which can seriously compromise client security. You could refine this and do some custom checking (for certificate name, hash etc). at least you can circumvent problems during development when using test certificates.

Solution 2:

When I have this problem it is because the client.config had its endpoints like:

 https://myserver/myservice.svc

but the certificate was expecting 

 https://myserver.mydomain.com/myservice.svc

Changing the endpoints to match the FQDN of the server resolves my problem. I know this is not the only cause of this problem.

Solution 3:

Your problem arises because you're using a self signed key. The client does not trust this key, nor does the key itself provide a chain to validate or a certificate revocation list.

You have a few options - you can

  1. turn off certificate validation on the client (bad move, man in the middle attacks abound)

  2. use makecert to create a root CA and create certificates from that (ok move, but there is still no CRL)

  3. create an internal root CA using Windows Certificate Server or other PKI solution then trust that root cert (a bit of a pain to manage)

  4. purchase an SSL certificate from one of the trusted CAs (expensive)

Related

Count occurrences of a char in a string using Bash
In Java, how do I call a base class's method from the overriding method in a derived class?
Swapping column values in MySQL
AWS S3 CLI - Could not connect to the endpoint URL
What is the proper #include for the function 'sleep()'?
How can I order a List<string>?
Can I make dynamic styles in React Native?
How can I get a web site's favicon?
What is my DNS server?
How to increase font size in Vim editor?
Difference between apt-get -d install & apt-get download
Too much noise while recording sound from mic on 14.04 LTS