How can I figure out an unknown error in an X509Chain?

Question

I've got a program that calls web services at customer sites, and since the web service is provided by a third party it requires SSL and I can't do anything about it.

In most cases when there is an error it's because there is a self-signed certificate, so I am checking X509Chain.ChainElements.ChainElementStatus for the UntrustedRoot error and just ignoring it.

That's all fine, however I'm getting an error from a new client and the ChainElementStatus element just appears to be an empty array. Any thoughts on what might cause that? If I look at the certificate error in IE it just says the certificate was not issued by a trusted CA.

EDIT: Adding the trace as Markus suggested, I see the following error coming back:

DateTime=2009-12-21T21:58:29.8719648Z

System.Net Information: 0 : [0772] SecureChannel#57280435 - Remote certificate has errors: ProcessId=4964 DateTime=2009-12-21T21:59:15.3239262Z System.Net Information: 0 : [0772] SecureChannel#57280435 - An internal certificate chaining error has occurred.

ProcessId=4964
DateTime=2009-12-21T21:59:15.3239262Z

System.Net Information: 0 : [0772] SecureChannel#57280435 - Remote certificate was verified as invalid by the user. ProcessId=4964

Answer 1

Have you tried adding some more logging? That's gotten me out of couple a of related errors in the past (I once spent more hours than I care to remember debugging a certificate related issue only to realize that someone had set the clock forward to a time when my certificate was no longer valid).

I finnaly managed to locate the problem after reading Jeff P Sanders great blog post about the process of debugging certificate related errors. It's written for asp.net clients but it works equally well for regular .net clients.

The core of it is adding a couple of trace listeners to your (App|Web).Config file. The one you're probably going to be most interested in is the tracewriter for System.Net and maybe System.Net.Sockets.

<configuration>
<system.diagnostics>
    <trace autoflush="true" />
    <sources>
        <source name="System.Net">
            <listeners><add name="System.Net"/></listeners>
        </source>
        <source name="System.Net.Sockets">
            <listeners><add name="System.Net"/></listeners>
        </source>
    </sources>
    <sharedListeners>
        <add
             name="System.Net"
             type="System.Diagnostics.TextWriterTraceListener"
             initializeData="System.Net.trace.log"
             traceOutputOptions = "ProcessId, DateTime"
         />
    </sharedListeners>
    <switches>
        <add name="System.Net" value="Verbose" />
        <add name="System.Net.Sockets" value="Verbose" />
    </switches>
</system.diagnostics>
</configuration>

Give it a go and if it doesn't solve your problem you should at least have enough data to update your question with more info.