Solved

The underlying connection was closed: Could not establish trust relationship with remote server.

Posted on 2014-04-30
7
3,034 Views
Last Modified: 2014-05-02
I have a website that uses SSL certificate. The website sends a request to an external website and receives a response that it has to process. All this was working fine until we renewed the SSL certificate on the server. Now after we send the request to the external website, it does not send a response but throws the error

The underlying connection was closed: Could not establish trust relationship with remote server.at System.Net.HttpWebRequest.CheckFinalStatus() at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult) at System.Net.HttpWebRequest.GetRequestStream()

I made changes in the code by implementing System.Net.ICertificatePolicy but it still does not work. I have attached my code. Please advise.
EE-SSL.txt
0
Comment
Question by:Angel02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40032571
Can you compare the cert chain of the new cert and the old one.

It is possible that the chain of the certificate might have been changed, also have any changes been made to the name / friendly name of the certificate ?

Compare the expired cert to the new one for :
1. certificate chain
2. Subject
3. Friendly Name
0
 
LVL 4

Accepted Solution

by:
xaichen earned 350 total points
ID: 40032768
Hi Angel,

It is probably not your code that is at fault if the only thing that changed was the SSL cert being renewed.

I'd check that the new certificate has been selected in the website's binding settings on the web server.

Best regards.
0
 

Author Comment

by:Angel02
ID: 40032889
@becraig
Where will I find these details (certificate name, subject, friendly name)? I saw the ones in IIS for the current certificate and they look fine. I don'f have the details of the older/expired certificate.
Does it matter if they are different?

@xaichen
How can I check the website's binding settings on the web server?

I checked the IIS and clicked on View Certificate. I certificate listed was the right one as it had the correct expiry date. But it said
"The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered"

Can this be a reason? The website however loads fine and everything is normal except accepting responses from external website.

Will it help if I remove the current certificate and add the same one back? Or will it create more problems?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 29

Assisted Solution

by:becraig
becraig earned 150 total points
ID: 40032909
Ok so based on the information you just posted, can you do these two things:

1. Double click the certificate itself in the mmc and click on details you can find the values I specified there.

2. I would suggest you reinstall the certificate, but you need to verify the chain of the certificate as I said earlier is valid so when you click on the details tab do the following steps.

However did you request the certificate from this computer  ?

If so I would probably suggest to install each certificate in the chain in the appropriate store, then simply repair the store.
0
 
LVL 4

Expert Comment

by:xaichen
ID: 40032924
Hi Angel,

Do you know what version of IIS or Windows Server the website is running on? If is is Server 2003 / IIS6 it is possible the new certificate is using a hashing method that the older IIS6 version can't understand. See more info in MS article KB938397.

In IIS7 you can check the binding if you select the website in the left hand tree and then select Bindings... in the right hand actions pane. You can then edit the binding to see what certificate is being used for that site.

In IIS6 you can right click the site to get to Properties > Directory Security tab > View  Certificate

Best regards.
0
 

Author Comment

by:Angel02
ID: 40034792
Thank you Xaichen. The issue was actually hashing algorithm. We reinstalled the SSL certificate with SHA-1 and it started working. We are able to receive response from the external website now.

Other than the response from the external website everything was working fine with SHA-2 before. Does this mean the external website was not compatible with SHA-2 afterall?

I would like to know this to know if I need to do something on my end so we can use SHA-2. Please advise. Thanks!
0
 
LVL 4

Expert Comment

by:xaichen
ID: 40035218
Hi Angel,

I'm glad to hear it is working. In respect to the SHA-2 working before. I've read up a bit since my last post and it appears there are 4 or more flavours of SHA-2. It is possible you were using one type that was compatible and then the renewal process selected a different type that could not be supported. I'm not entirely sure where you see what type of SHA-2 is in use, or how to go about changing it, but the different versions are called SHA-224, SHA-256, SHA-384, SHA-512.

In terms of continuing to use SHA-1, it is possibly easier to exploit it, though these days everything seem to have weaknesses. But if you has working SHA-2 solution before it would be worth some effort to try to return to that. But you may find SHA-1is the only workable solution to maintain backwards compatibility in some scenarios. For some real world comparison, I checked out the SSL certificate that Gmail's web interface uses when I make a connection and it is SHA-1.

I hope that helps.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question