Friday, September 7, 2018

SSL The remote certificate is invalid according to the validation procedure

This is one of the staple errors encountered while trying to programmatically access SSL websites or apis.

There could be many causes to this error including
  • Reuest headers
  • Firewall settings
  • Certificate Trust settings
A quick workaround for dev environments is to bypass the validation like explained at

https://stackoverflow.com/questions/777607/the-remote-certificate-is-invalid-according-to-the-validation-procedure-using

To bypass it, simply add the following statement before making calls to the SSL site

ServicePointManager.ServerCertificateValidationCallback =
    delegate(object s, X509Certificate certificate,
             X509Chain chain, SslPolicyErrors sslPolicyErrors)
    { return true; };
 
 
 However, this should NEVER be used in prod environments.

There is an msdn blog which explains the process to solve this error at https://blogs.msdn.microsoft.com/jpsanders/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure/

I followed the steps in this blog and finally could resolve this issue by using steps below:

  • Add headers to the request 

using (var client = new HttpClient(requestHandler))
            {
                client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36");
                client.DefaultRequestHeaders.Add("Host", "log-api-1h.rcseng.ac.uk");
                client.DefaultRequestHeaders.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/apng,*/*;q=0.8");
                client.DefaultRequestHeaders.Add("Accept-Language", "en-GB,en;q=0.9,en-US;q=0.8");



  • add certificate (.pfx) to the request
https://dotnetcodr.com/2016/01/25/using-client-certificates-in-net-part-5-working-with-client-certificates-in-a-web-project/
 
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
            X509Certificate2 clientCert = GetClientCertificate();
            WebRequestHandler requestHandler = new WebRequestHandler();
            if (clientCert != null)
            {
                requestHandler.ClientCertificates.Add(clientCert);
            }
private static X509Certificate2 GetClientCertificate()
        {
            X509Certificate2 _clientCertificate = null;
            try
            {
                //try to create client certificate from settings
                var clientCertificatePath = ConfigurationManager.AppSettings[SETTING_KEY_CLIENT_CERTIFICATE_PATH];
                var clientCertificatePrivateKey = ConfigurationManager.AppSettings[SETTING_KEY_CLIENT_CERTIFICATE_PRIVATE_KEY];

                var file = File.OpenRead($"{AppDomain.CurrentDomain.BaseDirectory}{clientCertificatePath}");
                byte[] arr = new byte[file.Length];
                file.Read(arr, 0, (int)file.Length);
                file.Close();
                //create certificate from file
                _clientCertificate = new X509Certificate2(arr, clientCertificatePrivateKey);

               
            }
            catch (Exception ex)
            {
                //throw ex;
            }
            return _clientCertificate;
        }


  • Add this certificate to the trusted root authorites certificate store
http://brainof-dave.blogspot.com/2008/08/remote-certificate-is-invalid-according.html 
  • Add any certificates in the certificate chain to the Intermidiate Certificate Authorities

c# httpclient The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

 If we get this error while trying to get http reponse using HttpClient object, it could mean that certificate validation fails for the remo...