Ssl – How to troubleshoot this SSL certificate error

sslssl-certificatewindows-server-2003

First off, I'm not a server admin, I'm by no means an expert.

So, there are two servers, one is used for email relaying and the other runs a website. The website will use .NET to send a message through SMTP with UseSSL flagged. However it fails due to the error

The remote certificate is invalid according to the validation procedure.

So I enabled tracing and the log outputted this message

System.Net Information: 0 : [4656]
SecureChannel#22800124 – Remote
certificate has errors: System.Net
Information: 0 : [4656]
SecureChannel#22800124 – A
certificate chain processed, but
terminated in a root certificate which
is not trusted by the trust provider.

System.Net Information: 0 : [4656]
SecureChannel#22800124 – Remote
certificate was verified as invalid by
the user.

System.Net Error: 0 : [4656]
Exception in the
SmtpClient#34708722::Send – The remote
certificate is invalid according to
the validation procedure.

So we double checked, and the certificate on the email server was expired. Someone created a new self signed certificate on the email server, and it was imported to the trusted root certificate authority on the web server. That didn't fix the error.

Any ideas on what else I can check? Or was that not how you set a certificate to be trusted?

Also, when not using SSL the application works fine, and nothing should be wrong with the application itself, as it use to work up until a little while ago (when the old certificate expired) and it can run fine on other servers.

Best Answer

I think that you need to restart IIS to reload the certificate keystore.

You can also check the remote certificate with:

openssl s_client -connect SMTPserver:port|openssl x509 -text

You can find openssl at http://www.openssl.org/related/binaries.html

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

SSL Error – Unable to Read Server Certificate from File

Related Topic