9

I have been in the process of converting a http application to https and ssl with a self signed certificate.

for some reason i have to go in the browser to localhost:##### to start the service.

Once the service is started, i test it with the following call in the visual studio 2012 comman prompt:

svcutil.exe https://localhost:10201/?wsdl

and it comes back with

Error: Cannot obtain Metadata from https://localhost:10201/?wsdl

If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.  For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.


WS-Metadata Exchange Error
    URI: https://localhost:10201/?wsdl

    Metadata contains a reference that cannot be resolved: 'https://localhost:10201/?wsdl'.

    Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:10201'.

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    The remote certificate is invalid according to the validation procedure.


HTTP GET Error
    URI: https://localhost:10201/?wsdl

    There was an error downloading 'https://localhost:10201/?wsdl'.

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    The remote certificate is invalid according to the validation procedure.

If you would like more help, type "svcutil /?"

Is this detremental to my sucess with HTTPS?

My config looks as such:

<system.serviceModel>

    <!--SERVICES-->
    <services>
      <service name="DuplexService.DuplexService"
         behaviorConfiguration="sb">

        <endpoint
           address="basic"
           binding="customBinding"
           bindingConfiguration="customDuplexBinding"
           contract="DuplexService.Interface.IDuplexServiceContract">
        </endpoint>

        <endpoint
            address=""
            binding="webHttpBinding"
            behaviorConfiguration="webHttpEndpointBehavior"
            bindingConfiguration="webHttpsBinding"
            contract="Interface.IPolicyRetriever">
        </endpoint>

        <endpoint
            address="mex"
            binding="mexHttpsBinding"
            contract="IMetadataExchange">
        </endpoint>

        <host>
        <baseAddresses>
          <add baseAddress="https://localhost:10201" />
        </baseAddresses>
        </host>
      </service>


    </services>


    <!--BEHAVIOURS-->
    <behaviors>
    <!--Policy-->
      <endpointBehaviors>
        <!-- For Policy Service -->
        <behavior name="webHttpEndpointBehavior">
          <webHttp  />
        </behavior>
      </endpointBehaviors>


<!--behaviour for all of the enpoints -->
      <serviceBehaviors>
        <behavior name="sb">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://localhost:10201"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <!-- This will solve a bug that happens if too many items are sent at once from the gateway to the client -->
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
          <serviceThrottling
          maxConcurrentCalls="200"
          maxConcurrentSessions="200"
          maxConcurrentInstances="200" />
        </behavior>
      </serviceBehaviors>
    </behaviors>



    <!-- BINDINGS-->
    <bindings>

    <webHttpBinding>
        <binding name="webHttpsBinding">
            <security mode="Transport">
                <transport clientCredentialType="None" />
            </security>
        </binding>
    </webHttpBinding>

      <customBinding>
        <binding name="customDuplexBinding">
          <pollingDuplex duplexMode="MultipleMessagesPerPoll"
               maxOutputDelay="00:00:01"
       serverPollTimeout="00:01:00"
       inactivityTimeout="02:00:00"
       maxPendingMessagesPerSession="2147483647"
       maxPendingSessions="2147483647" />
          <binaryMessageEncoding>
            <readerQuotas
              maxDepth="2147483647"
              maxStringContentLength="2147483647"
              maxArrayLength="2147483647"
              maxBytesPerRead="2147483647"
              maxNameTableCharCount="2147483647" />
          </binaryMessageEncoding>
          <httpsTransport
      maxBufferSize="2147483647"
      maxReceivedMessageSize="2147483647"
      transferMode="StreamedResponse" />
        </binding>
      </customBinding>



    </bindings>




    <!-- Register the binding extension from the SDK. -->
    <extensions>
      <bindingElementExtensions>
        <add name="pollingDuplex"
             type="System.ServiceModel.Configuration.PollingDuplexElement, System.ServiceModel.PollingDuplex" />
      </bindingElementExtensions>
    </extensions>
  </system.serviceModel>

How can i get rid of it? and make the metadata work and the GET work?

jordan
  • 3,436
  • 11
  • 44
  • 75

2 Answers2

10

I can think of 4 ways to deal with this.

  1. Install the self signed cert as a trusted root auth. MMC -> Certificates
  2. Use a browser to navigate to the wsdl (click past the cert error), save it off, and generate off the wsdl directly.
    • Put the url of the wsdl in your browser and click past the certificate warning so that you can see the actual wsdl
    • Save the wsdl to your computer. In chrome you can right click, save as.
    • In Visual Studio
      • Right click on the project and select "Add Service Reference"
      • In the Address box, enter the physical path (C:\directory...) of the downloaded wsdl.
      • Hit Go
  3. Fire up fiddler and tell it to decrypt https which will install a cert and give you an option to ignore remote cert errors. Described here. http://proq.blogspot.com/2012/02/svcutil-and-https.html
  4. Use a cert signed by a trusted root.

I didn't see a svcutil option to ignore cert errors.

Kenneth Ito
  • 5,201
  • 2
  • 25
  • 44
  • didnt help, but will be helpful for other pepole searching for the answer in the future – jordan Nov 20 '12 at 17:01
  • 1 and 2 didn't work, 4 should be equivalent to 1. 3 doesn't work for me because I can't install fiddler due to access restrictions. Any other way? – Juergen Jun 01 '15 at 10:48
  • @Juergen Supposedly 1 and 2 should always work. I just expanded directions on 2 as I get the feeling most people don't understand how. I'll also expand on 1 when I have a moment – Kenneth Ito Jun 01 '15 at 15:40
  • At least 1) didn't work for me. Thought it should work, too, maybe I did something wrong? I created a self-signed certificate on the server side with CN=[Servername] and added it to the Trusted Root CAs in my Client. Still the same error. I couldn't really apply 2) because in my browser (IE) I got no certificate warning. Neither when navigating to the service (.svc), nor to the .wsdl file. I tried loading the .wsdl and applying svcutil on it but that returned in another error. In another thread I found that this probably wasn't the whole/correct wsdl file so I dropped it. – Juergen Jun 01 '15 at 17:29
  • Ahh, couple things. First totally forgot this was svcutil and not vs generation. Instructions here. http://stackoverflow.com/a/4200321/897291. If the multi file wsdl/xsd stuff is giving you difficulty, you can generate a single file wsdl in .net 4.5+ by using http://localhost:port/some.svc?singleWsdl . About the CN, it needs to match the url you are using to access the service with. In many cases that's localhost for development. Also, its strange that you are not getting errors in IE, did you forget to put https into the url? – Kenneth Ito Jun 01 '15 at 19:41
  • The ?singleWsdl looks like the one I downloaded earlier. CN matched the IP of the server I'm trying to access, although it wasn't localhost in my case. Also, I included https. Maybe I'm not getting the warning in IE because I added the certificate to "trusted CAs"; I'm not sure I tried it before adding it. I haven't had much time to look into this so for the moment I generate the contracts in a visual studio 2010 on a different machine where it works perfectly. I'll probably come back to this when I have the time. – Juergen Jun 03 '15 at 11:09
  • 1 didn't work, same error. Can't do 2 since this is a .NET Standard library. 3 didn't work, same error. Not enough details to know how to try 4. – Justin Jan 17 '19 at 15:48
  • @Justin, this is an answer to a circa 2012 WCF visual studio tooling question. Are you using svcutil.exe ? If no, this answer isn't intended to be a general purpose thig. – Kenneth Ito Feb 08 '19 at 18:23
  • 1
    @KennethIto Yes I'm using svcutil.exe, I know it's outdated to use SOAP but we are converting a class library that consumes a SOAP API from .NET Framework to .NET Core, so can't use the Visual Studio SOAP web references any longer. I was able to get it working eventually, just had a hard time downloading the WSDL. – Justin Feb 09 '19 at 13:27
0

I had the same issue. For me I noticed that the https is using another Certificate which was invalid in terms of expiration date. Not sure why it happened. I changed the Https port number and a new self signed cert. WCFtestClinet could connect to the server via HTTPS!

patricgh
  • 403
  • 4
  • 15