The remote certificate is invalid according to the validation procedure

[aborderon]

Describe the bug

Hello,

I am using a Net Core Web API version 2.2 and an application with IdentityServer 2.2 for authentication to this API (OAuth 2 / OpenId).

I also use an Angular web application in front which consumes the web services of the API.

In development, the various applications function and communicate well with each other.

I deployed these application with Docker in a Kubernetes Cluster with a Load Balancer in front of each of the application containers.

The API is configured to use HTTPS and I configured my HTTTPS Load Balancer (Ingress) with self-signed certificates for each application.

I encounter an error when my web application uses API web services, I get the following error message on the API:

HTTP/1.1 GET http://api.ibis.preconeo.fr/api/v1/customers [2019-10-17 09:22:10.736 INFO] | [Microsoft.AspNetCore.Hosting.Internal.WebHost] Request finished in 0.1705ms 200 text/plain [2019-10-17 09:22:11.105 EROR] | [Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler] Exception occurred while processing message. System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

I also have the same problem if I go through Swagger which is integrated with the API, I have exactly the same error.

I tried to configure the API in relation to the problem already existing on the subject by adding the following configuration:

services.Configure<ForwardedHeadersOptions>(options => { options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto; options.RequireHeaderSymmetry = false; options.KnownNetworks.Clear(); options.KnownProxies.Clear(); });

I want to point out that authentication works well from the web application and also from Swagger.

My Discovery Endpoint on IdentityServer is also well configured in HTTPS.

But it still does not work, do you have solutions to offer me?

Thank you.

[blowdart]

Can we assume this is a linux docker image?

What happens if you use curl to hit the endpoint you want for the identity server URL?

You say you're using self signed. Did you configure OpenSSL to trust these certificates from within the image? See https://andrewlock.net/creating-and-trusting-a-self-signed-certificate-on-linux-for-use-in-kestrel-and-asp-net-core/

[aborderon]

@blowdart , Yes, I use the dotnet docker image for the API runtime :
FROM mcr.microsoft.com/dotnet/core/aspnet:2.2

When I use an endpoint with Curl I have the following error:

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have not tried to configure Kestrel with the self-signed certificate, I will try to do it and I will come back to you.

thank you

[rahulsahay19]

@aborderon Any update on this thread?

[rahulsahay19]

@blowdart I have created self signed certs using Powershell and trusted the same. Then same cert I used to publish the image and run docker-compose. I am running with cert name and password. Its working well. Identity server authenticates well when it reaches from the angular client running locally on localhost:4200 to port https://localhost:9445 hosted on docker. But, the problem starts when from my angular app, make an api call to port running on https://localhost:9443, running on separate container with the same certificate. That time, it gives the below error "System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:9445/.well-known/openid-configuration'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://localhost:9445/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: Cannot assign requested address ---> System.Net.Sockets.SocketException: Cannot
assign requested address"

Kindly, let me know, if i am doing anything wrong.

Thanks,
Rahul

[aborderon]

@rahulsahay19 no unfortunately I have not managed to solve the problem for the moment following the previous advice ...

I will try to work on the subject soon.

[rahulsahay19]

I guess, it doesn't work with self signed cert when container to container communication gets involved rather it accepts actual cert.

[dgroh]

I have the same problem with SignalR client applications connecting to remote servers with SSL certificates.

I have a WPF client with which subscribes to a SignalR endpoint (.net core api) and when I try to connect I get the following error:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslStream.ThrowIfExceptional()
at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.b__65_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Http.Connections.Client.Internal.AccessTokenHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Http.Connections.Client.Internal.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.NegotiateAsync(Uri url, HttpClient httpClient, ILogger logger, CancellationToken cancellationToken)
Microsoft.AspNetCore.Http.Connections.Client.HttpConnection: Debug: Skipping dispose, connection is already disposed.

[tsibelman]

Having the same problem calling remote endpoint from AWS Lambda Linux runtime certificate is not self-signed

[tsibelman]

Apparently it caused by an expired certificate for TLS 1.3 protocol that .net core asks by default in AWS env

[monnecc]

@tsibelman can you tell something more about that? I'm also experiencing this issue.

[tsibelman]

You can check domain with one of the online SSL checkers and see if one of the certificates on the chain is expired, I wish the framework provided more informative messages.

[monnecc]

okay, thanks. I thought you were mentioning a totally different certificate, but it's just from the server I'm connecting to. And there are two certificates expired in the chain indeed.

[abakumov-v]

Hi everyone!
@aborderon did you manage to set up interaction between containers using self-signed certificates?

[grava]

Hi Everyone.

Same problem. Services deployed with docker-compose. every single service accepts HTTPS requests with the self Service certificates. When one of those services try to reach out another one with the service name defined in docker-compose, it raise that exception.

Any hint on how to solve it ?

[ghost]

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[HaoK]

@pranavkm is this work just about surfacing a better error message for an expired cert? This doesn't look related to identity, but its not obvious where this should go, other than area-security I guess?

[blowdart]

Ping @pranavkm

[pranavkm]

area-security works. I think the plan was to try and provide better diagnostics docs for this to helps users troubleshoot along with better errors from the framework for expired certs.

[adityamandaleeka]

@pranavkm Sounds like this isn't happening for 6? Can you please re-milestone as appropriate?

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[adityamandaleeka]

Triage: closing since we don't have any more concrete things to do for this at this point. Feel free to file new issues if something else comes up.