Skip Navigation LinksHome > View Post

WCF: Could not establish trust relationship for the SSL/TLS secure channel with authority

When using WCF (or ASMX) over SSL you may run into the error Could not establish trust relationship for the SSL/TLS secure channel with authority 'YourServerHere:Port'. There are a number of reasons this might happen but the first thing to check is that the SSL certificate for your server is valid for that domain. One quick way to check is to pop to endpoint URL in Internet Explorer and if you get this:

Server Certificate Invalid

You can then contine to the website and click the padlock/certificate button at the top right you should see exactly why:

View Certificate

(Note these screenshots are from IE8)

There are a number of ways to fix this:

  1. Change the endpoint address in your client configuration to point to the issued to domain and not the invalid one (or IP address)
  2. If for some reason you can't do step 1, you could add an entry to your HOSTS file that makes the issued to domain point to the appropriate domain and then go to back to step 1
  3. Or.. you can modify your client's code to skip certificate verification entirely using the System.Net.ServicePointManager. See the example code below.

Example

ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(
    delegate
    {
        return true;
    });

Important Note, that this is a dangerous implementation as it doesn't verify certificates at all. ServicePointManager is a WinInet level concept and beyond the boundaries of WCF (so this change would affect all requests from that AppDomain!) - be very careful with this stuff.

Thanks to my colleague Zulfiqar for his help with this.

Tags: WCF

 
Josh Post By Josh Twist
12:59 AM
05 Mar 2009

» Next Post: TF03177: Team Project Creation Failed
« Previous Post: Creating reusable Entity Framework queries thanks to deferred execution

Comments are closed for this post.

Posted by Ameen Nihad @ 22 Jun 2009 11:53 PM
I have SSL certificated issued for my domain, I added an entry to host file to point same domain to my local IP, I can open my service file from browser without any problem or security warning, but the problem is that the base address of the service returned as computer name not domain name, for example I open the service from this address (https://www.domain.com/service.svc) but the address displayed on the service page is (https://computername/service.svc?wsdl) and this causes my client application to give the error you mentioned here. How can I solve this issue?

Posted by Harsha @ 04 Aug 2009 10:32 PM
Very very useful for us. I had been sitting withis issue for a week now and changing the URL to have certificate name rather than IP address solved my issue like magic.. :)

Posted by Diego @ 07 Jun 2010 3:27 AM
Hi!

I faced this problem right now, and I try to find what is the problem. My Certificate is created over my custom Certificate Authority, which runs on a Win2003 Server. Both the CA, and the Certificate for the SSL port is installed to the client machine. The "Issued to" field of the Certificate which I use to authenticate the port is "My SSL Certificate" - so I cannot use this in the url. Or this could be the problem? Should be the Certificate named like the domain that I use?

Hope you can help!
Best Regards
Diego

Posted by Umesh Bhavsar @ 17 Jun 2011 7:09 PM
Hi,

I had the same issue. Point #1 did resolved my issue.
It works for sure.

Thanks for sharing.

Warm Regards,

Umesh Bhavsar

Posted by Harald Koraschnigg @ 20 Sep 2011 7:33 AM
Thank you for your post, guess it saved me hours of searching!!!

© 2005 - 2014 Josh Twist - All Rights Reserved.