In a fresh SharePoint 2016 RTM farm with Workflow Manager 1.1 installed, when trying to publish SharePoint 2013 designer workflow we get the following error: “The remote certificate is invalid according to the validation procedure.” in ULS logs as well as in the UI.

01/18/2016 16:25:17.53    w3wp.exe (kfsp:0x3764)    0x5758    SharePoint
Server    Workflow Services    ahwae    Medium    Error publishing workflow
definition (ItemUpdating) information: System.Net.WebException: The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.     at
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)     at
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)     --- End of
inner exception stack trace ---     at
Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)    
at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult
result)     at
Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T
content)     at
Microsoft.Workflow.Client.WorkflowManagementClient.SendRequest[T](HttpWebRequest
request, T content)     at
Microsoft.Workflow.Client.ScopeManager.PublishScopeInternal(ScopeDescription
description, String[] pathSegments)     at
Microsoft.Workflow.Client.ScopeManager.PublishChildScope(String childScopeName,
ScopeDescription description)     at
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateServiceGroup(String
scopeAddress, ScopeDescription serviceGroup)     at
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateOrUpdateServiceGroup(SPWeb
lookupWeb, SPAppPrincipal app)     at
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.<SetupApplicationEcosystem>b__3()    
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
secureCode)     at
Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
secureCode, Object param)     at
Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
secureCode)     at
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.SetupApplicationEcosystem()    
at
Microsoft.SharePoint.WorkflowServices.FabricWorkflowDeploymentProvider.PublishDefinition(WorkflowDefinition
workflowDefinition)     at
Microsoft.SharePoint.WorkflowServices.WorkflowDefinitionStorageEventReceiver.PublishDefinition(SPItemEventProperties
properties)   

Root cause:

We use the auto-generated certificate for the Workflow Manager during the configurations. Due to this we have a broken chain to the root certificate. The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.

Resolution:

Easy fix for this issue, simply build a trust between Workflow Manager and SharePoint 2016. For that you have to export the Workflow Manager certs from WFM server and upload into SharePoint 2016. Please follow the steps below.

Export Certificate from Workflow Manager Server

  • Login on the sever with farm credentials
  • Open  IIS Manager > Sites > right-click on Workflow Management Site, and then choose Edit Bindings.
  • On this pop-up, select HTTPS port 12290, and then choose Edit.
  • On this pop-up, click the View button in the SSL Certificate section.
  • On this Certificate Window, click on the Details tab.
  • On the Details tab, choose Copy to file Certificate.
  • On this wizard
    • Click Next
    • Choose No, do not export the private key
    • Choose DER encoded binary X.509 (.CER)
    • Select the Path where you want to store the Cert and Give the Name (we give WFcert.cer)
    • Click Finish
    • You will get the Export Successful message
  • Now you have the WFcert.cer

Note: In this case we used the Auto-Generated Cert so it's the only cert in the Chain. But if you are using the SSL certs then you have to export all certificates in the path.

Import Certificate to SharePoint 2016 Central Admin

  • Copy the certificate from WFM server to SharePoint central admin server.
  • Login with farm administrator account
  • In SharePoint Central Administration site > Security > General Security > Manage Trust
  • On this page click New
  • On this page upload the certificates to SharePoint.
    • Give a friendly name
    • Path of the certificate store
    • Click OK.
  • You will have to repeat above steps for every cert in the chain.

Import Certificate to SharePoint PowerShell

  • Login with Farm administrator credential on the SharePoint server
  • Launch the SharePoint PowerShell window
  • Run the below PowerShell.
$trustCert = Get-PfxCertificate "F:\WFcert.cer"
New-SPTrustedRootAuthority WFTrust -Certificate $trustCert