locked
Could not establish trust relationship for the SSL/TLS secure channel RRS feed

  • General discussion

  • Note:  The following information was gathered when the operation was attempted.  The information may appear cryptic but provides context for the error.  The application will continue to run.

    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

    I've found a related post, but none of the suggestions have worked.  I have verified the certificates. 

    • Changed type Yog Li Thursday, March 11, 2010 10:47 AM Starter's not back.
    Wednesday, March 3, 2010 2:19 PM

All replies

  • Hello,

    Would you please post some details to help us understanding this issue?

    Are you using SCE, SCOM? Did this issue occur when you setup Remote Operations Manager? And where?

    Thansk,
    Yog Li - MSFT
    Friday, March 5, 2010 10:35 AM
  • Not  to be sarcastic, but this is the System Center Essentials forum.  I'm using System Center Essentials 2007 and attempting to connect via the remote console.  I'm connecting on the same local network as the server. 

    Cause: SSL certificate was generated using the SCE server's NetBIOS name instead of its FQDN.
    Solution:

    1)     First cleaned policy and certificates on the server:
    SCECertPolicyConfigUtil.exe /Uninstall /ManagementGroup <MG_Name> In the above command, <MG_Name> is the name of the management group.

    2)     Remove the certificate files from C:\Program Files\System Center Essentials 2007\Certificates.

    3)     Run the following command to reconfigure certificates on the SCE server and
    update policy:

    SCECertPolicyConfigUtil.exe /PolicyType domain /ManagementGroup <MG_Name>
    /SCEServer <server FQDN> /ConfigureRemoteControl true /ConfigureAEM false

    4)     Verified that updated certificates are in the Certificates folder and the certificate store. Also, verify that the WSUS Administration Web site is configured with the new SSL certificate and that the certificate uses the SCE server's FQDN.

    5)     Open the System Center Essentials All Computers Policy GPO in Group Policy Editor and make sure that the CA certificate exists in the following location: Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authories.

    6)     Run gpupdate on the Console computer and verify that the updated CA certificate is added to Trusted Root Certification Authories in the computer account's certificate store..

    Hopefully this will save someone a support incident. 

     

     

    Saturday, March 13, 2010 10:43 AM
  • Hello,

    Thanks for sharing the information, which could be cery helpful for the other community members facing similar scenarios.

    Yog Li - MSFT
    Wednesday, March 17, 2010 9:58 AM