WCF Could not establish trust relationship for the SSL/TLS secure channel with authority

By admin - Last updated: Saturday, February 21, 2009 - Save & Share - 23 Comments

I saw people ask questions on the forums regarding to “Could not establish trust relationship for the SSL/TLS secure channel with authority” while attempting to call the web service via a host domain name other than the one specified in Issue-To within the SSL certificate. Most likely you are using the same certificate for the WCF web services hosted on other domains, for example, development or demo server.

A custom remote certificate validation can be used to avoid the strict validation, instead, just make it trust anything.

In your code, simply make a call to the static method SetCertificatePolicy() once within your application before making any request to the web services.

using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

// note this code is not intended to used
// in production enviroment
public static class Util
{
    /// <summary>
    /// Sets the cert policy.
    /// </summary>
    public static void SetCertificatePolicy()
    {
        ServicePointManager.ServerCertificateValidationCallback
                   += RemoteCertificateValidate;
    }

    /// <summary>
    /// Remotes the certificate validate.
    /// </summary>
    private static bool RemoteCertificateValidate(
       object sender, X509Certificate cert,
        X509Chain chain, SslPolicyErrors error)
    {
        // trust any certificate!!!
        System.Console.WriteLine("Warning, trust any certificate");
        return true;
    }
}



Posted in WCF • Tags: , , Top Of Page

23 Responses to “WCF Could not establish trust relationship for the SSL/TLS secure channel with authority”

Comment from Koby
Time May 18, 2009 at 12:05 am

Bingo

Comment from Raju
Time June 29, 2009 at 4:32 am

We were strugling to make it work wcf through SSL on our local machine(SSL) before seeing your solution. Your solution worked perfectly.

Thanks for sharing.

Comment from Neil
Time July 17, 2009 at 11:33 am

Works like a pearl…

Thanks a lot!

Comment from sujith
Time July 29, 2009 at 1:15 pm

you are a life saver dude…

cheers

Comment from Bogi
Time August 13, 2009 at 10:50 pm

pffff thank you very much

Comment from vladABC
Time October 25, 2009 at 11:51 pm

Thanks a lot

???????, ??? ??? ? ???? ??????????? :) ))

Comment from Harjeet Chandwani
Time November 8, 2009 at 10:50 am

Hi Everybody,
We are facing simlar problem on our Production server but it works fine on our Pre-Production server and local dev machines. Can any one suggest solution for this ?

A quick help will be hightly appreciated.

Thanks and Regards,
Harjeet Chandwani.

Comment from admin
Time November 8, 2009 at 11:20 am

@Harjeet Chandwani
Does your production server as the VALID certificate?
Does the SSL certificate subject allows the domain name that you host your webservice?
Normally, you may find the domain name in the subject field of your certificate.

Comment from Harjeet Chandwani
Time November 8, 2009 at 8:49 pm

Thanks for the reply. We are not using any certificate on any of the server related to this API. This problem is only coming on production server but it works fine on pre production servers and we have not installed any certificate any where.

Comment from admin
Time November 9, 2009 at 12:10 pm

@Harjeet Chandwani
I’d suggest you post the error details here and find out the URL from your client app.config. This is really SSL certificate related error message, I am still suspecting you are using an https url for the web service.

Comment from Harjeet Chandwani
Time November 9, 2009 at 5:51 pm

Below is error what we are getting and we yes we are using https web service but my problem is that if it is working on all the machines dev, INT server and all, than it should work on production server also.

11/8/2009 6:29:54 PM –
ExceptionMessage:- Could not establish trust relationship for the SSL/TLS secure channel with authority ‘secure.techfortesco.com’.
ExceptionStackTrace:-
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

Comment from admin
Time November 9, 2009 at 7:20 pm

If you can set a breakpoint within RemoteCertificateValidate method at the client, you can find out what the actual error is by examining the values of the SslPolicyErrors. Let us know how it goes. Good luck.

Comment from sara
Time February 3, 2010 at 3:59 am

the web serivice i have to consume is on SSL and the service provider has provided us test certificates..
I created a wrapper in ASMX to access this service, ASMX wrapper is required coz other app like Visual file can’t directly access WCF..
when i run my ASMX wrapper from Asp.net Dev enviroment it works file.. but when i host this ASMX wrapper on IIS i started getting error, as
Could not establish secure channel for SSL/TLS with authority ‘uat-portal.swiftcover.com
even i call the code as you have specified to accept all certificates.. plz help

Comment from Mark Huff
Time February 5, 2010 at 2:57 am

Try this:
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);

Before you make any calls.

Comment from Lucas
Time March 23, 2010 at 7:03 am

Thanks for the solution. it worked perfectly.
i’ve trying to solve this problem for days!!!
thanks again

Comment from bhadelia imran
Time April 27, 2010 at 8:09 pm

It works like charm! Thanks for nice findings

Comment from robert nadar
Time August 11, 2010 at 1:50 am

thanks dude for the code.. working fine!!!

Comment from Abidali
Time August 17, 2010 at 7:21 pm

Hello All,

This solution work perfectly for development purpose. But what i need to do for production release?

Thanks.

Comment from Ray
Time August 17, 2010 at 9:54 pm

If the target production certificate is valid. you don’t have to use this method.

Comment from Lou
Time September 14, 2010 at 1:55 pm

I am facing a similar issue, but I am getting this error as I’m attempting to create the generated proxy for services consumption. Therefore, modifying client code serves me no purpose. How does one resolve this issue prior to runtime?

Comment from Ray
Time September 14, 2010 at 2:47 pm

If in Visual studio, it should prompt you with if trust it, if you click yes, then it should work. What IDE are you using?

Comment from Durgesh Vasmatkar
Time November 4, 2010 at 3:40 am

Thanks Mark Huff…
your solution worked perfectly..

Durgesh

Comment from amol
Time July 25, 2013 at 10:24 pm

Hi, its working fine for me in UAT Environment, but its correct solution for Live Environment.

Write a comment


Captcha: five + 8 =