none
R 9.1, unable to use a self signed certificate RRS feed

  • Question

  • Hello,

    I can't manage to activate SSL for a web node. 

    The server is configured to use our active directory for authentication.

    I tested the server without activating the ssl, and I can connect using the remoteLogin command on my pc to the remote server and giving my user AD login/password.

    remoteLogin("http://myvm.mydomain.com:12800", diff=TRUE, session = TRUE, commandline = TRUE)

    I am running it on windows 2012 R2 :

    I tryed two way for self signe certificate:

      1. I installed the iis feature and create a self signed certificate using the iis manager.

      2. I created a certificate using the powershell command 

    In my web node configuration file I have 

     "Kestrel": {
        "Port": 12800,
        "Host": "myvm.mydomain.com",
        "HttpsEnabled": true,
        "HttpsCertificate": {
          "Enabled": true,
    "StoreName":"My",
    "StoreLocation":"LocalMachine",
          "Description": "Enable this section if you want to enable SSL on Kestrel",
          "SubjectName": "CN=myvm.mydomain.com",
          "AllowInvalid" : true
        }

    I followed the documentation and give special access to the certificate (I also tryed to give everone's permission with full rights)

    With this configuration the web hosting launch and seems to be ok :

    PS C:\Program Files\Microsoft\R Server\R_SERVER\o16n\Microsoft.RServer.WebNode> dotnet .\Microsoft.RServer.WebNode.dll
    dbug: Microsoft.AspNetCore.Hosting.Internal.WebHost[3]
          Hosting starting
    dbug: Microsoft.AspNetCore.Hosting.Internal.WebHost[4]
          Hosting started
    Hosting environment: Production
    Content root path: C:\Program Files\Microsoft\R Server\R_SERVER\o16n\Microsoft.RServer.WebNode
    Now listening on: https://*:12800
    Application started. Press Ctrl+C to shut down.
    info: default[0]
          {"CorrelationId":"3b93e59e-619c-4f8e-8617-6305ea904195","Subject":"Compute nodes used: http://localhost:12805/"}
    info: default[0]
          {"CorrelationId":"3b93e59e-619c-4f8e-8617-6305ea904195","Subject":"Compute nodes used: http://localhost:12805/"}

    But on my client PC, when I try to connect using the command :

    remoteLogin("https://myvm.mydomain.com:12800", diff=TRUE, session = TRUE, commandline = TRUE)

    on the server I have a "The remote certificate is invalid according to the validation procedure." error :

    I have no idea of what I am doing wrong.

    Here is the complete stack of the server error :

    dbug: Microsoft.AspNetCore.Hosting.Internal.WebHost[3]
          Hosting starting
    dbug: Microsoft.AspNetCore.Hosting.Internal.WebHost[4]
          Hosting started
    Hosting environment: Production
    Content root path: C:\Program Files\Microsoft\R Server\R_SERVER\o16n\Microsoft.RServer.WebNode
    Now listening on: https://*:12800
    Application started. Press Ctrl+C to shut down.
    info: default[0]
          {"CorrelationId":"80d17448-7329-4cdc-be70-2507a9fdf658","Subject":"Compute nodes used: http://localhost:12805/"}
    info: default[0]
          {"CorrelationId":"80d17448-7329-4cdc-be70-2507a9fdf658","Subject":"Compute nodes used: http://localhost:12805/"}
    dbug: Microsoft.AspNetCore.Server.Kestrel[1]
          Connection id "0HL7R7B76B168" started.
    fail: Microsoft.AspNetCore.Server.Kestrel[0]
          ConnectionFilter.OnConnection
    System.AggregateException: One or more errors occurred. (The remote certificate is invalid according to the validation procedure.) ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
       at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
       at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.<OnConnectionAsync>d__6.MoveNext()
       --- End of inner exception stack trace ---
    ---> (Inner Exception #0) System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
       at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
       at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.<OnConnectionAsync>d__6.MoveNext()<---

    and the appsettings file :

    {
      "Version": "9.1.0",
      "Kestrel": {
        "Port": 12800,
        "Host": "myvm.mydomain.com",
        "HttpsEnabled": true,
        "HttpsCertificate": {
          "Enabled": true,
    "StoreName":"My",
    "StoreLocation":"LocalMachine",
          "Description": "Enable this section if you want to enable SSL on Kestrel",
          "SubjectName": "CN=myvm.mydomain.com",
          "AllowInvalid" : true
        }
      },
      "Logging": {
        "IncludeScopes": false,
        "LogsPath": "",
        "MaxLogsFilesNumber": 10,
        "LogLevel": {
          "Default": "Debug",
          "System": "Verbose",
          "Microsoft": "Debug",
          "Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware": "Debug",
          "AllowedLogLevels": {
            "Verbose": "Verbose is the noisiest level, rarely (if ever) enabled for a production app.",
            "Debug": "Debug is used for internal system events that are not necessarily observable from the outside, but useful when determining how something happened.",
            "Information": "Information events describe things happening in the system that correspond to its responsibilities and functions",
            "Warning": "When service is degraded, endangered, or may be behaving outside of its expected parameters, Warning level events are used.",
            "Error": "When functionality is unavailable or expectations broken, an Error event is used.",
            "Fatal": "The most critical level, Fatal events demand immediate attention."
          }
        }
      },
      "MaxNumberOfThreadsPerBatchExecution": 100,
      "Authentication": {
        "AdminPassword": "mg/LS9Z49nmZjG0idvZPpZqGkN4aO3//cj8vM9YXAmljdp/dW/cywi6jZmQ/Mj4Z",
        "AzureActiveDirectory": {
          "Enabled": false,
          "Description": "Enable this section if you want to enable authentication via Azure AD",
          "Authority": "https://login.windows.net/<yourtenant.com>",
          "Audience": "<clientId>"
        },
        "LDAP": {
          "Enabled": true,
          "Description": "Enable this section if you want to enable authentication via LDAP",
          "Host": "ludir003.mydomain.com",
          "Port": 389,
          "UseLDAPS": false,
          "QueryUserDn": "CN=myuser,CN=Users,DC=MYDOMAIN,DC=COM",
          "QueryUserPassword": "mypassword",
          "QueryUserPasswordEncrypted": false,
          "SearchBase": "DC=TT,DC=MYDOMAIN,DC=COM",
          "SearchFilter": "samAccountName={0}",
          "UniqueUserIdentifierAttributeName": "userPrincipalName",
          "DisplayNameAttributeName": "name",
          "EmailAttributeName": "mail"
        },
        "JWTKey": "xxxx",
        "JWTSigningCertificate": {
          "Enabled": false,
          "Description": "Enable this section if you want to sign the access token with a certificate instead of a randomly generated key",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "SubjectName": "<subject name>"
        }
      },
      "Authorization": {},
      "ConnectionStrings": {
        "Description": "One database must be enabled. Disable any unused databases.",
        "sqlserver": {
          "Enabled": false,
          "Connection": "<connection string to your Microsoft SQL Server installation>"
        },
        "postgresql": {
          "Enabled": false,
          "Connection": "<connection string to your PostgreSQL installation>"
        },
        "defaultDb": {
          "Enabled": true,
          "Connection": "./db/rserver_o16n_9.1.0.db"
        }
      },
      "BackEndConfiguration": {
        "ClientCertificate": {
          "Enabled": false,
          "Description": "Enable this section if your compute node(s) require certificate authentication",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "SubjectName": "<subject name>"
        },
        "Uris": {
          "Description": "Declare each compute node by adding its unique URI in the 'Values' section. Using HTTPS is highly recommended",
          "Values": [
            "http://localhost:12805"
          ]
        }
      },
      "CORS": {
        "Enabled": false,
        "Origins": []
      },
      "RuntimeTypes": [
        "R",
        "Realtime"
      ],
      "configured": "configured"
    }



    Thursday, September 14, 2017 6:43 AM