Could not establish trust relationship for the SSL/TLS secure channel with authority

[alextochetto]

I'm trying to use a digital certificate already installed in my PC.
I'm using ASPNET CORE 2.0, Framework 4.7 and VS 2017 15.5.3
This only occurs because the certificate is not valid: NET::ERR_CERT_AUTHORITY_INVALID

In my winform application, this works using this:
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

[mconnew]

Will this work:

BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
endpointAddress = new EndpointAddress(new Uri("http://myserver/MyService.svc"));
factory = new ChannelFactory<IService>(binding, endpointAddress);
factory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication();
factory.Credentials.ServiceCertificate.SslCertificateAuthentication.CertificateValidationMode = X509CertificateValidationMode.None;

[alextochetto]

Thanks a lot @mconnew
It worked!!
It was necessary only disable the SslCertificateAuthentication
Regards

[Etrimus]

Hello, I have same problem, but solution from @mconnew doesn't work for me.

var client = new PartnerApiClient { ClientCredentials = { UserName = { UserName = "testapi", Password = "dfdfTT7" } } };
client.ChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication
            {
                CertificateValidationMode = X509CertificateValidationMode.None,
                RevocationMode = X509RevocationMode.NoCheck
            };
client.ChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
await client.GetTariffPlanListAsync() // Could not establish trust relationship for the SSL/TLS secure channel with authority 11.22.33.44:5555

A PartnerApiClient is auto-generated class derived from System.ServiceModel.ClientBase<>

#region Assembly System.ServiceModel.Primitives, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
// C:\Users\Artem\.nuget\packages\system.servicemodel.primitives\4.4.1\ref\netstandard2.0\System.ServiceModel.Primitives.dll
#endregion

In classic .net 4.7 this code works fine with ServerCertificateValidationCallback

System.Net.ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;

[gcelet]

Hello, it seems that I encounter the same problem calling a SOAP service with self certificate from an asp.net core 2.1 webapi running in .net core 2.1:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority

In my case, the fix given by @mconnew work with version 4.4.2 of System.ServiceModel.Primitives and System.ServiceModel.Http but fail with version 4.5.0 (just changing nuget package version no code modification).

[mconnew]

@Etrimus, you are using ChannelFactory.Credentials.ServiceCertificate.Authentication and my example is using ChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication. Change your code to match my example and it should work for you,

@gcelet, we have extensive tests around this area so if something broke in our code, we would see it in our test results. I don't suppose you are running on OSX?

[gcelet]

@mconnew No our project is developped on Windows and run in Docker on linux in production.
I see there a new version 4.5.1 of System.ServiceModel.Primitives and System.ServiceModel.Http.
I'll give this version a try to see if the problem still exists.

[gcelet]

I still get the problem with version 4.5.1 of System.ServiceModel.Primitives and System.ServiceModel.Http.
I can't share the WCF contract but this test below show the problem i'm facing:

• it's ok with version 4.4.2
• throw a System.ServiceModel.Security.SecurityNegotiationException with version 4.5.1

[Test]
public async Task Should_Not_Throw_On_No_Trust_Domain()
{
	BasicHttpBinding binding = new BasicHttpBinding
	{
		CloseTimeout = TimeSpan.Parse("00:10:00"),
		OpenTimeout = TimeSpan.Parse("00:10:00"),
		ReceiveTimeout = TimeSpan.Parse("00:10:00"),
		SendTimeout = TimeSpan.Parse("00:10:00"),
		MaxBufferPoolSize = 90000000,
		MaxBufferSize = 90000000,
		MaxReceivedMessageSize = 90000000,
		ReaderQuotas = new XmlDictionaryReaderQuotas
		{
			MaxDepth = 32,
			MaxArrayLength = 90000000,
			MaxStringContentLength = 90000000
		},
	};
	binding.Security.Mode = BasicHttpSecurityMode.Transport;
	binding.Security.Transport = new HttpTransportSecurity
	{
		ClientCredentialType = HttpClientCredentialType.None,
		ProxyCredentialType = HttpProxyCredentialType.Basic
	};
	EndpointAddress remoteAddress = new EndpointAddress("https://mydomain.with.no.trust.com/Service.scv");
	ServiceWCF client = new ServiceWCF(binding, remoteAddress);
	
	client.ChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication =
		client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
			new X509ServiceCertificateAuthentication
			{
				CertificateValidationMode = X509CertificateValidationMode.None,
				RevocationMode = X509RevocationMode.NoCheck,
				TrustedStoreLocation = StoreLocation.LocalMachine
			};
	
	ServiceResultat serviceResultat;
	
	try
	{
		ServiceResultat = 
			await client.callService().ConfigureAwait(false);

		client.Close();
	}
	catch (CommunicationException)
	{
		client.Abort();
		throw;
	}
	catch (TimeoutException)
	{
		client.Abort();
		throw;
	}
	catch (Exception)
	{
		client.Abort();
		throw;
	}
	
	Assert.IsNotNull(serviceResultat);
}

System.ServiceModel.Security.SecurityNegotiationException : Could not establish trust relationship for the SSL/TLS secure channel with authority 'mydomain.with.no.trust.com'.
  ----> System.Net.Http.HttpRequestException : The SSL connection could not be established, see inner exception.
  ----> System.Security.Authentication.AuthenticationException : Authentication failed, see inner exception.
  ----> System.ComponentModel.Win32Exception : The token supplied to the function is invalid.
   at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass1_0.<CreateGenericTask>b__0(IAsyncResult asyncResult)
--- End of stack trace from previous location where exception was thrown ---
...

[flavio1110]

Same issue here, I had to downgrade to 4.4.2 in order to disable the validation.

[Tonay]

Will this work:

BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
endpointAddress = new EndpointAddress(new Uri("http://myserver/MyService.svc"));
factory = new ChannelFactory<IService>(binding, endpointAddress);
factory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication();
factory.Credentials.ServiceCertificate.SslCertificateAuthentication.CertificateValidationMode = X509CertificateValidationMode.None;

Thank you so much man! This is work fine for me :)

[thiagosrios]

Will this work:

BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
endpointAddress = new EndpointAddress(new Uri("http://myserver/MyService.svc"));
factory = new ChannelFactory<IService>(binding, endpointAddress);
factory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication();
factory.Credentials.ServiceCertificate.SslCertificateAuthentication.CertificateValidationMode = X509CertificateValidationMode.None;

Thanks. This work for me.