Login/Register
Could not establish secure channel for SSL/TLS with authority '*'
Asked Answered
Solved .netwcfweb-servicessslhttps
P

11

25

I must consume a PHP webservice which has a SSL certificate. My .net 3.5 Class library references the webservice with 'Add Service references' in Visualstudio 2010 (WCF right?).

When calling the main method of the webservice I receive;

Could not establish secure channel for SSL/TLS with authority '{base_url_of_WS}'.

I tried a lot, like 

System.Net.ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(CheckValidationResult); 
 public bool CheckValidationResult(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        return true;
    }

But It wouldn't work. Also I have the certificate installed on my own machine.

*Extra info; When I use the wsdl location in 'Add service reference' the same error occurs. Before I tried it, I worked with a static wsdl.

alt text

Presume answered 16/12, 2010 at 17:14 Comment(4)
Nope not at all, it has just been issued and signedPresume
Is there any way you can attempt to connect to the web service through a browser (like viewing service metadata)? This will help identify whether the issue is with the certificates or within WCF.Ahouh
I had similar exception - see: #8595184Cuisse
@PaulTurner If the web service is working through a browser, what does that indicate? There's a problem within WCF?Epistaxis
P
12

Yes an Untrusted certificate can cause this. Look at the certificate path for the webservice by opening the websservice in a browser and use the browser tools to look at the certificate path. You may need to install one or more intermediate certificates onto the computer calling the webservice. In the browser you may see "Certificate errors" with an option to "Install Certificate" when you investigate further - this could be the certificate you missing.

My particular problem was a Geotrust Geotrust DV SSL CA intermediate certificate missing following an upgrade to their root server in July 2010 https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

(2020 update deadlink preserved here: https://web.archive.org/web/20140724085537/https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 )

Plug answered 12/1, 2011 at 15:37 Comment(0)
D
34

This was exact the problem I was facing. At some other article I got a hint to change the configuration. For me this works:

<bindings>
  <basicHttpBinding>
    <binding name="xxxBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
Declivous answered 13/9, 2013 at 6:18 Comment(4)
Thanks. The transport part was exactly what I needed! Fixed it after hours of testing. :)Sniper
The transport line also fixed it for me. Even though I was manually adding the correct, trusted cert in the code, it wouldn't recognize it properly until adding that line in my .config file. Thanks!Kermes
Same problem, solved by this config setting. Thanks, I spent 3 hours on thatGebelein
Thanks! solved my problem but inside the <customBinding> tagWhoosh
P
31

Problem

I was running into the same error message while calling a third party API from my ASP.NET Core MVC project.

Could not establish secure channel for SSL/TLS with authority '{base_url_of_WS}'.

Solution

It turned out that the third party API's server required TLS 1.2. To resolve this issue, I added the following line of code to my controller's constructor:

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
Protrude answered 18/7, 2018 at 19:20 Comment(1)
Unless you specifically do not want SSL connections you should OR the TLS value instead of assigning: System.Net.ServicePointManager.SecurityProtocol |= System.Net.SecurityProtocolType.Tls12;Berber
P
12

Yes an Untrusted certificate can cause this. Look at the certificate path for the webservice by opening the websservice in a browser and use the browser tools to look at the certificate path. You may need to install one or more intermediate certificates onto the computer calling the webservice. In the browser you may see "Certificate errors" with an option to "Install Certificate" when you investigate further - this could be the certificate you missing.

My particular problem was a Geotrust Geotrust DV SSL CA intermediate certificate missing following an upgrade to their root server in July 2010 https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

(2020 update deadlink preserved here: https://web.archive.org/web/20140724085537/https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 )

Plug answered 12/1, 2011 at 15:37 Comment(0)
F
5

We had this issue on a new webserver from .aspx pages calling a webservice. We had not given permission to the app pool user to the machine certificate. The issue was fixed after we granted permission to the app pool user.

Fakir answered 23/7, 2015 at 15:9 Comment(1)
Can you expand on that? How did you grant this access?Lest
W
3

Ensure you run Visual Studio as an administrator.

Wheatear answered 18/11, 2014 at 20:5 Comment(1)
...or if you're running via cmd prompt -- make sure it's admin.Overzealous
G
2

In case it helps anyone else, using the new Microsoft Web Service Reference Provider tool, which is for .NET Standard and .NET Core, I had to add the following lines to the binding definition as below:

binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport = new HttpTransportSecurity{ClientCredentialType = HttpClientCredentialType.Certificate};

This is effectively the same as Micha's answer but in code as there is no config file.

So to incorporate the binding with the instantiation of the web service I did this:

 System.ServiceModel.BasicHttpBinding binding = new System.ServiceModel.BasicHttpBinding();
 binding.Security.Mode = System.ServiceModel.BasicHttpSecurityMode.Transport;
 binding.Security.Transport.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate;
 var client = new WebServiceClient(binding, GetWebServiceEndpointAddress());

Where WebServiceClient is the proper name of your web service as you defined it.

Grimonia answered 27/2, 2018 at 10:53 Comment(0)
L
1

Had same error with code:

X509Certificate2 mycert = new X509Certificate2(@"C:\certificate.crt");

Solved by adding password:

X509Certificate2 mycert = new X509Certificate2(@"C:\certificate.crt", "password");
Livre answered 14/12, 2016 at 9:3 Comment(1)
Is this the intermediate cert you are pushing through?Frodi
C
1

This error can occur for lots of reasons, and the last time, I solved it by modifying the Reference.svcmap file, and changing how the WSDL file is referenced.

Throwing exception:

<MetadataSource Address="C:\Users\Me\Repo\Service.wsdl" Protocol="file" SourceId="1" />
<MetadataFile FileName="Service.wsdl" ... SourceUrl="file:///C:/Users/Me/Repo/Service.wsdl" />

Working fine:

<MetadataSource Address="https://server.domain/path/Service.wsdl" Protocol="http" SourceId="1" />
<MetadataFile FileName="Service.wsdl" ... SourceUrl="https://server.domain/path/Service.wsdl" />

This seems weird, but I have reproduced it. This was in a console application on .NET 4.5 and 4.7, as well as a .NET WebAPI site on 4.7.

Cenesthesia answered 16/4, 2019 at 11:25 Comment(0)
W
1

For me the solution was changing the SecurityProtocolType.

I put this code before the BasicHttpsBinding creation.

By the way i created binding from the code side, not from the config file.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Wellhead answered 27/5, 2022 at 12:21 Comment(0)
M
0

Here is what fixed for me:

1) Make sure you are running Visual Studio as Administrator

2) Install and run winhttpcertcfg.exe to grant access

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx

The command is similar to below: (enter your certificate subject and service name)

winhttpcertcfg -g -c LOCAL_MACHINE\MY -s "certificate subject" -a "NetworkService"
winhttpcertcfg -g -c LOCAL_MACHINE\MY -s "certificate subject" -a "LOCAL SERVICE"
winhttpcertcfg -g -c LOCAL_MACHINE\MY -s "certificate subject" -a "My Apps Service Account"
Mechelle answered 23/11, 2015 at 23:34 Comment(1)
Should be mentioned that winhttpcertcfg lacks official support for Win 2008 R2 and newer, serverfault.com/questions/620013/…Survance
H
0

Service was running as a different user, I had to go into manage private key and add the users permissions

Hilariahilario answered 12/7, 2024 at 17:5 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.