tags:

views:

7487

answers:

2

I have a simple web service call, generated by a .NET (C#) 2.0 windows app, via the web service proxy generated by Visual Studio, for a web service also written in C# (2.0). This has worked for several years, and continues to do so at the dozen or so places where it is running.

A new installation at a new site is running into a problem. When attempting to invoke the web service, it fails with the message saying, "Could not establish a trust relationship for the SSL/TLS secure channel". The URL of the web service uses SSL (https://) -- but this has been working for a long time (and continues to do so) from many other locations.

Where do I look? Could this be a security issue between Windows and .NET that is unique to this install? If so, where do I set up trust relationships? I'm lost!

Rob Schripsema

+6  A: 

Thoughts (based on pain in the past):

  • do you have DNS and line-of-sight to the server?
  • are you using the correct name from the certificate?
  • is the certificate still valid?
  • is a badly configured load balancer messing things up?
  • does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP?
  • is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL?
  • is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)
Marc Gravell
1) The web service is on the web. We can browse to it via a browser.2) New machine is not a server -- it is a desktop running my app, which gathers order info and uploads via the SOAP service3) Yes, we can browse to it.4) This is new to me: machine level proxy?
Rob Schripsema
Yes; code doesn't use the IE proxy settings; it uses a separate store... it is important that this is configured (if you are using a proxy). On XP, the easiest option is (IIRC) "proxycfg -i" to import the IE settings.
Marc Gravell
The clock thing applies equally to desktops; I will clarify...
Marc Gravell
Thanks Marc. This helped me, and the problem was that the server had a cert signed by a 3rd party CA that I hadn't trusted yet. The solution was to add that CA to the Trusted Root CA list.
p.campbell
+1  A: 

Microsoft's SSL Diagnostics Tool may be able to help identify the issue.

sipwiz