0

I have got 2 sitest hosted on Windows 2012 R2 IIs 8.5. One is instance of umbraco while other is .Net core based api (Lets call it MyApi). I want to perform certain search action on umbraco so umbraco makes call to the api which calls back the Umbraco/Api. Call to the MyApi is fine, however the call from MyApi to the Umbraco/Api is problem. The Umbraco api logs:

Search failed System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Certificates themselves are provided by our customer's inner authority, which is trusted root in server storage. Now originaly we have had problem with certificates, as they missed first DNS record we use for api call (the DNS records are not created yet, we use record in 'hosts') but that shoud be fiex by now.

I have updated the SSL error handler in the code so it logs an error and number in SSL Enum. 

                            System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
            System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => 
            {
                _logger.LogError("Received TLS errror " + ((int)sslPolicyErrors).ToString());
                return false;
            };

            _logger.LogDebug("Search starting");
            if (model.Username != null)
            {
                model.Favourites = _workplaceContext.GetUserFavourites(_dataContext, model.Username);
            }
            else if (model.JustFavourites)
            {
                return BadRequest();
            }
            using (var client = new HttpClient())
            {


                client.BaseAddress = new Uri(_configuration.GetValue<string>("UmbracoApiUrl"));
                _logger.LogDebug("Searching for addres " + new Uri(_configuration.GetValue<string>("UmbracoApiUrl")));
                client.DefaultRequestHeaders.Accept.Clear();
                client.DefaultRequestHeaders.Accept.Add(
                    new MediaTypeWithQualityHeaderValue("application/json"));
                var json = JsonConvert.SerializeObject(model);
                using (var stringContent = new StringContent(json, Encoding.UTF8, "application/json"))
                {
                    var response = await client.PostAsync("workplace/search", stringContent);
                    if (response.IsSuccessStatusCode)
                    {
                        _logger.LogDebug("Search API Call success");
                        var jsonResponse = await response.Content.ReadAsStringAsync();
                        var responseModel = JsonConvert.DeserializeObject<SearchResponseModel>(jsonResponse);
                        _logger.LogDebug("Search response TotalCount = " + responseModel.TotalCount);
                        return responseModel;
                    }
                    else
                    {
                        _logger.LogDebug("Search API Call status - " + response.StatusCode);
                        return StatusCode((int)response.StatusCode);
                    }
                }
            }

Originaly we received number 2 error. Now we just receive number 0, which should be no problem. Despite that, connections is still not working. I have read various articles regarfding this and enabled troubleshooting through in web config of umbraco, but haven't found any useful information. I need method to troubleshoot the MyApi. Could somone point me a direction how to troubleshoot it to the similar degree of detail as umbraco (i am not much familiar with .NET core apps)?

The interesting part of error log:

2019-07-08 13:35:32.1745||DEBUG|XXXApi.Controllers.WorkplaceController|Search starting 
2019-07-08 13:35:32.1901||DEBUG|XXXApi.Controllers.WorkplaceController|Searching for addres https://xxx.yy.zz/umbraco/api/ 
2019-07-08 13:35:32.2682||ERROR|XXXCApi.Controllers.WorkplaceController|Received TLS errror 0 
2019-07-08 13:35:32.2682||ERROR|XXXApi.Controllers.WorkplaceController|Search failed System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
Pepsin
  • 23
  • 8
  • Test the used server for their SSL/TLS implementation: If the server is public you can use [SSLLabs](https://www.ssllabs.com/ssltest/index.html) otherwise https://testssl.sh – Robert Jul 08 '19 at 15:02
  • Hi, unfortunately at this moment apis are available only in intranet. Also i have just windows enviroment availablle – Pepsin Jul 08 '19 at 15:11
  • Can you access the server with other implementations like a browser, i.e. is the problem specific to your code or is it a problem of the server setup? – Steffen Ullrich Jul 08 '19 at 15:26
  • Start by capturing+logging+showing exactly which certificate your application sees as coming from the server and then you can double check with authority is needed as trusted for the certificate to be validated. Maybe you are getting another certificate than the one you think you get, or you installed the wrong authority. In all cases discussing certificates validation without ever viewing the certificates concerned is difficult business. – Patrick Mevzek Jul 08 '19 at 17:44
  • Hi Stefan: IE doesn't allow me to access that place due to high security policy )(ca't change it, domain environment) Firefox isn't happy about the certificate (as it uses its own storeage and doesn't know the publisher) but shows me full chain. Hi Patrick: For capturing i use system.diagnostic entry in Umbraco's web config. I ot interesting message there: "Left with 0 client certificates to choose from." – Pepsin Jul 09 '19 at 07:42
  • OK solution here: The original error was in certificate and got fixed, BUT the callback returning 0 I used for debugging caused problem marking connection unsuccessful. It took like 2 days to figure it out. – Pepsin Aug 14 '19 at 08:07

1 Answers1

0

Solution: The original error was in certificate and got fixed, BUT the callback returning false I used for debugging caused problem marking connection unsuccessful. It took like 2 days to figure it out. So since moment i got 0 in enum, it was just bug in my debugging code.

Oh and don't forget to unsubscribe the delgate.

Pepsin
  • 23
  • 8