Could not establish trust relationship for the SSL/TLS secure channel

Question

When searching for a report in the web portal this error occurrs: 
 An error occurred while processing the request: GET identitytest.acme.com/.../reports System.Exception: An error occurred while processing the request: GET identitytest.acme.com/.../reports ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. 
 It works fine in production (IM 9.1), but not in development (IM 9.1.1). 
 Logging into the web portal works fine, so I'm guessing no issues with the certificate.. 
 When pasting the link in a browser the return is " Your session has expired. Please reload this page and login again. " 
 Best regards, Henrik

Sebastian Ober (iC Consult) · Accepted Answer

Do you have certificate pinning enabled for the app server connection inside your web portal web.config? If yes, this is precisely the error I had recently when we rotated the app server certificate without updating the pinned public key. You need to either remove (since it's deprecated with 9.1.1 anyway) or update the pinned public key in your decrypted web.config: 
 <add name="AppServerConnection" connectionString="QBM.AppServer.Client.ServiceClientFactory, QBM.AppServer.Client|URL= ">aperture.science/.../J5EcKORTzl12345TIlO2ofB9A26cIiQ3frODo=&quot;" />

Sebastian Ober (iC Consult) · Answer

You can find it in the web.config of the IdentityManager IIS application, e.g.: "C:\inetpub\wwwroot\IdentityManager\web.config" To see the connection strings unencrypted, you need to decrypt them using an admin command prompt: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf connectionStrings "C:\inetpub\wwwroot\IdentityManager" See here in this old documentation: Identity Manager 8.1.5 - Operational Guide (oneidentity.com) 
 Then you should have the line from my previous comment in the web.config file. You can modify it there, and run 
 aspnet_regiis.exe -pef connectionStrings " C:\inetpub\wwwroot\IdentityManager" 
 to encrypt it again. I'd do a restart of the iis application pool afterwards for good measure. 
 Initially, the public key is (optionally) configured during the installation of the web designer web portal, in the step where you select the app server connection. Apologies, I can't find a screenshot for it at the moment.

Markus Weiss-Ehlers · Answer

The pinned key is part of the connection string parameters. You just need to remove this parameter from the connection string.

Endpoint Privilege Management

Could not establish trust relationship for the SSL/TLS secure channel

Top Replies