runtime: SSL connection could not be established(The remote certificate is invalid according to the validation procedure)

Environment:- Docker: Windows using Linux containers OS: Window 10 Microsoft.AspNetCore.App:2.1.1 Microsoft.NETCore.App: 2.10 Docker Image: microsoft/dotnet:2.1-aspnetcore-runtime

Hi , I have no idea why this happens but this is an issue that appears when i call webapi hosted in docker container also i follow Hosting ASP.NET Core Images with Docker over HTTPS but not working .

Please help me if i miss anything or fix this issue.

Generate Log:-

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslState.ThrowIfExceptional()
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 44 (22 by maintainers)

Commits related to this issue

Most upvoted comments

Hi everyone Add same certificate(.crt) file in Linux container & add this two line in your docker file ADD SSL.crt /usr/local/share/ca-certificates/SSL.crt RUN update-ca-certificates

I hope its help you…

+3
viveknaragude on Apr 22, 2019

Also, the biggest thing I’ve seen is that these problems are typically not trust chain issues. The error message simply reflects that the certificate didn’t pass the checks.

It could be an invalid date range, name mismatch or even key usage mismatch. The X509v3 KeyUsage field is especially problematic on Linux versus Windows. Linux due to a recent OpenSsl bug requires that self-signed certificates have an extra flag set (Certificate Signing)in the KeyUsage field.

+2
davidsh on Apr 17, 2019

I’m trying to build a .net core project using dotnet core sdk image getting same error…

I tried adding the CA cert but no luck

Import-Certificate -FilePath C:/temp/CA-Bundle.crt -CertStoreLocation Cert:/LocalMachine/Root/

The SSL connection could not be established, see inner exception.
[09:12:01][Step 2/4]     The remote certificate is invalid according to the validation procedure.
[09:12:01][Step 2/4]   Retrying 'FindPackagesByIdAsyncCore' for source 'https://artifactory.xxx.xx/artifactory/api/nuget/nuget/FindPackagesById()?id='DocumentFormat.OpenXml'&semVerLevel=2.0.0'.
+2
ram-devsecops on Jan 25, 2019

Here is a simple repro:

private static readonly HttpClient Client = new HttpClient(new HttpClientHandler { UseCookies = false }); var req = new HttpRequestMessage(); req.RequestUri = new Uri(“https://www.cnn.com/”); var response = await Client.SendAsync(req);

This is giving me the same error…

+2
ewassef on Jan 24, 2019

how do you establish trust in docker @gelihu ? Self-signed certificates will not be trusted by default. It may be worth of opening new issue with details as @davidsh suggested.

+1
wfurt on Apr 17, 2019

@twsI Any self-signed certificate would certainly be considered untrusted (unless you manually trusted it)…

+1
bartonjs on Feb 23, 2019

Can confirm the issue for self signed certificates in docker containers. Create two ASP.NET Core 2.2 projects and let VS create two self signed developer certificates (or do it manually and adjust the secrets.json), then request any site via their external ip, same error

+1
twsl on Feb 23, 2019

That command only imports certificate but that does not necessarily means it would be trusted as CA @rammaram06 Depending on OS/Version you need to import to OS trusted CA store. Also this was originally discussion about Docker. It may be better to open separate issues for non-docker cases.

+1
wfurt on Jan 28, 2019

@ewassef you example works fine for me running either IIS Express or Kestrel from VS. Note you did have docker enabled for your project as a 3rd option. I couldn’t get it to even run docker, but when I created a new empty web template with docker enabled and pasted your sample in that also worked.

This definitely smells of an environmental issue.

+1
Tratcher on Jan 26, 2019

@ewassef can you upload that app for confirmation?

+1
Tratcher on Jan 25, 2019

@ewassef AspNetCore/MVC host does not mess with the ServerCertificateCustomValidationCallback. This may be an issue with the container infrastructure. Try simplifying the web app repro by removing all of the code in Program.Main and calling HttpClient directly from there.

+1
Tratcher on Jan 24, 2019

@wfurt Im on a windows machine and this snippet works if you run a .net core 2.2 console application. If you try this from a mvc core running kestrel , it fails everytime. I am configured to run in Linux docker containers, but this occurs when debugging on a windows 10 machine

The site comes up in all browsers and in the console app like i mentioned… only in a kestrel based mvc app

 public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                .UseContentRoot(Directory.GetCurrentDirectory())
                .UseKestrel(opts => { })
                .UseStartup<Startup>();
    }

and the code is in the startup.cs in an app.Run :

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            app.Run(async ctx =>
            { ....
+1
ewassef on Jan 24, 2019

I’m not sure that is actual problem @viveknaragude. Unless your app uses certificate signed by somebody trusted by the container you need to establish the trust somehow. If anything that seems like container configuration problem. Do I miss something?

+1
wfurt on Nov 9, 2018
Read more comments on GitHub
← runtime: ssl certificate processing logic error
runtime: SSL connection could not be etablished →