Troubleshooting - SSL Trust Relationship

  • Could not establish a trust relationship with the remote server when using SSL (HTTPS)
     

    You receive an error similar to this in the event log.

    ReminderWebPartDirectory: Error in processWebPartNode (URL:https://<yoururl> SK:<GUID>)

    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

     

     

    The reason you receive this error message is that the SSL Certificate is invalid in some way.

    If you were browsing to the site using Internet Explorer you may receive a warning like the one the right. While this gives you the option to ignore the warning and proceed a program running as a Service has no option but to close the connection - hence the error above.

The most common errors are listed here :-

  • Incorrect, expired or invalid SSL security certificate

You will receive a warning in I.E. if you visit the site.

  • The SSL certificate was issued by a company you have not chosen to trust

The Certification Authority is not trusted because it is not in the Trusted Root Certification Authorities store. This commonly occurs if your organisation issues your own SSL certificates, for example using SelfSSL in a development/testing environment.

Note -  You may not receive an error while browsing to the site using I.E. if you or your network administrator has setup the internal Certification Authority to be trusted either for your profile or on your local machine, but has not added the CA Certificate to the servers certificate store.

  • The name of the Security Certificate is invalid

A SSL certificate is only valid for a particular name, or if a wildcard certificate is used, a particular domain. Check that the certificate is valid for the address that is listed in the error message - you can use IE to test this.

Note that a SSL certificate will be valid for a FQDN such as sharepoint.mycompany.com but will not be valid for the IP address that this maps to. This means that if you access the site using the IP address you will receive this error.

If you notice that an IP address or incorrect URL is listed in the error message then you have not set SecureBindings in the IIS metabase. This is similar to the DNS Alias problem as without the SecureBindings property being set SharePoint has no way of determining the DNS name that an IP address represents. You will also notice that SharePoint Administration pages Virtual Server List shows the sites by their IP address or incorrect URL.

To correct this follow the steps listed here to set the SecureBindings metabase property

cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8d9f2a8f-cd23-448c-b2c7-f4e87b9e2d2c.mspx

Where <hostheader> is the host header for the site and the <site identifier> is IIS's internal Site ID.

  • You need to setup a Service Principal Name

http://support.microsoft.com/kb/871179