{"id":3279,"date":"2021-12-06T08:40:50","date_gmt":"2021-12-06T07:40:50","guid":{"rendered":"https:\/\/kudzia.eu\/b\/?p=3279"},"modified":"2021-12-06T08:40:50","modified_gmt":"2021-12-06T07:40:50","slug":"net-core-under-linux-throws-the-remote-certificate-is-invalid-because-of-errors-in-the-certificate-chain-nottimevalid-when-communicating-with-https-server-having-letsencrypt-cert","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2021\/12\/net-core-under-linux-throws-the-remote-certificate-is-invalid-because-of-errors-in-the-certificate-chain-nottimevalid-when-communicating-with-https-server-having-letsencrypt-cert\/","title":{"rendered":".net core under linux throws “The remote certificate is invalid because of errors in the certificate chain: NotTimeValid” when communicating with HTTPS server having letsencrypt cert"},"content":{"rendered":"

i’ve stumbled on an issue – simple .net core code using HttpWebRequest failed to communicate with any server that had lets encrypt cert. no matter if the server used new or old certificate chain – i was getting:<\/p>\n

\r\nSystem.Net.WebException: The SSL connection could not be established, see inner exception.\r\n ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.\r\n ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid\r\n   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)\r\n   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)\r\n   at System.Net.Security.SslStream.ProcessAuthentication(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)\r\n   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)\r\n   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)\r\n   --- End of inner exception stack trace ---\r\n   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)\r\n   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpMessageHandlerStage.Send(HttpRequestMessage request, CancellationToken cancellationToken)\r\n   at System.Net.Http.SocketsHttpHandler.Send(HttpRequestMessage request, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpClientHandler.Send(HttpRequestMessage request, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpMessageInvoker.Send(HttpRequestMessage request, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)\r\n   at System.Net.Http.HttpClient.Send(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n   at System.Net.HttpWebRequest.SendRequest(Boolean async)\r\n   at System.Net.HttpWebRequest.GetResponse()\r\n   --- End of inner exception stack trace ---\r\n   at System.Net.HttpWebRequest.GetResponse()\r\n   at System.Net.WebClient.GetWebResponse(WebRequest request)\r\n   at System.Net.WebClient.DownloadBits(WebRequest request, Stream writeStream)\r\n   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)\r\n   at System.Net.WebClient.DownloadString(Uri address)\r\n   at System.Net.WebClient.DownloadString(String address)\r\n   at TestGetWebContent.Program.Main(String[] args) in C:\\Users\\[..]\\source\\repos\\TestGetWebContent\\TestGetWebContent\\Program.cs:line 13\r\n<\/pre>\n
at the same time curl or wget could communicate with the same site without issues. i’ve tried updating local ca-certificates<\/i> package – that did not help. then i’ve run the same binaries on two different servers – both debian bullseye and – surprise surprise! it worked on one but not on the other. in despair i’ve run strace and noticed that on the server where i had a problem program was reading content from  ~\/.dotnet\/corefx\/cryptography\/x509stores\/ca, on the other – where things worked nicely – that folder was not prsent. what did i do? i’ve deleted ~\/.dotnet\/corefx\/cryptography\/x509stores\/ca and things started to work.<\/p>\n
i have too little knowledge of .net core internalls to tell exactly why did it use own store of root certs and did not rely on CAs installed from the ca-certificates<\/> package.<\/p>\n","protected":false},"excerpt":{"rendered":"
i’ve stumbled on an issue – simple .net core code using HttpWebRequest failed to communicate with any server that had lets encrypt cert. no matter if the server used new or old certificate chain – i was getting: System.Net.WebException: The SSL connection could not be established, see inner exception. —> System.Net.Http.HttpRequestException: The SSL connection could […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[115,102,116],"class_list":["post-3279","post","type-post","status-publish","format-standard","hentry","category-unimportant","tag-dotnetcore","tag-letsencrypt","tag-ssl"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=3279"}],"version-history":[{"count":2,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3279\/revisions"}],"predecessor-version":[{"id":3281,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3279\/revisions\/3281"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=3279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=3279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=3279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}