The remote certificate is invalid

TDray · June 2, 2024, 1:04am

We had a certificate from GoDaddy that we were using which expired on Friday. We got a new one from them and I have installed it. On the server, I can connect using both the Epicor Administration and running the client on the server. However, if I attempt to run the client on a workstation, I receive the following error:


## System Information ##
==================

AppServer Connection: https://remote.durafintube.com/KineticLive
Form Name: ShellMenuForm
Customization Name: 
Menu ID: 
Software Version: 4.2.300.4

============

Application Error

Exception caught in: mscorlib

## Error Detail ##
============
##!Message:##! An error occurred while sending the request.
##!Inner Exception Message:##! The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
##!Program:##! CommonLanguageRuntimeLibrary
##!Method:##! ThrowForNonSuccess

## Client Stack Trace ##
==================
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Ice.Cloud.ProxyBase`1.<ExecuteAsync>d__61.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Epicor.Utilities.AsyncHelper.RunSync[TResult](Func`1 method)
   at Ice.Cloud.ProxyBase`1.Execute(String methodName, RestValueSerializerBase serializer, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut)
   at Ice.Cloud.ProxyBase`1.<>c__DisplayClass59_0.<CallWithCommunicationFailureRetry>b__0(Context _)
   at Polly.Policy`1.<>c__DisplayClass32_0.<Execute>b__0(Context ctx, CancellationToken ct)
   at Polly.Retry.RetryEngine.Implementation[TResult](Func`3 action, Context context, CancellationToken cancellationToken, IEnumerable`1 shouldRetryExceptionPredicates, IEnumerable`1 shouldRetryResultPredicates, Func`1 policyStateFactory)
   at Polly.RetryTResultSyntax.<>c__DisplayClass12_0`1.<WaitAndRetry>b__0(Func`3 action, Context context, CancellationToken cancellationToken)
   at Polly.Policy`1.ExecuteInternal(Func`3 action, Context context, CancellationToken cancellationToken)
   at Polly.Policy`1.Execute(Func`3 action, Context context, CancellationToken cancellationToken)
   at Polly.Policy`1.Execute(Func`2 action, Context context)
   at Ice.Cloud.ProxyBase`1.CallWithCommunicationFailureRetry(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, RestRpcValueSerializer serializer)
   at Ice.Cloud.ProxyBase`1.CallWithMultistepBpmHandling(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, Boolean useSparseCopy)
   at Ice.Cloud.ProxyBase`1.Call(String methodName, ProxyValuesIn valuesIn, ProxyValuesOut valuesOut, Boolean useSparseCopy)
   at Ice.Proxy.Lib.SessionModImpl.Login()
   at Ice.Core.Session.GetSessionId(String asUrl, String companyId, String plantId)
   at Ice.Core.Session.InitSessionMod(String asUrl, Boolean fwVerCheck, String companyID, String plantID, String sessionId)
   at Ice.Core.Session.InitSession(Action setCredentials, String asUrl, Guid licenseTypeId, String pathToConfigurationFile, Boolean fwVerCheck, String companyID, String plantID, Boolean useChannelCacheForServices, String sessionID)
   at Ice.Core.Session..ctor(String userID, String password, String asUrl, Guid licenseTypeId, String pathToConfigurationFile, Boolean fwVerCheck, String companyID, String plantID, Boolean useChannelCacheForServices, String sessionID)
   at Ice.Core.Session..ctor(String userID, String password, Guid licenseType)
   at Ice.Lib.LogOn.CreateSession(String userID, String password, String appServerUri, Guid licenseType, SessionTokenType sessionTokenType, Object azureADOwnerWindow)
   at IceShell.Apps.LogonDialog.logOn(String userID, String password, Boolean promptUpdatePassword)
   at IceShell.Apps.LogonDialog.DoWorkLogon()

## Inner Exception ##
===============
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

##  ##

   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)


## Inner Exception ##
===============
The remote certificate is invalid according to the validation procedure.

##  ##

   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

I opened a case with Epicor last night, but after 24 hours I’m still waiting for it to be assigned. Really hoping to get this cleared up before Monday morning. If anyone has any ideas, would love to hear them.

klincecum · June 2, 2024, 1:30am

What happens when you try to connect from the web?

TDray · June 2, 2024, 1:09pm

Is what I get if I try to connect directly to the address through a browser.

TDray · June 2, 2024, 1:11pm

And to be clear, it is completely possible I installed the cert wrong. I’m more programmer than network guy but having to step up and cover areas I’m not very good at.

klincecum · June 2, 2024, 2:17pm

That’s not what I was expecting. I was expecting a certificate error in the browser and we could expand and drill down.

What you have here is some type of misconfiguration server side. What that could be, I really don’t have the experience anymore to tell you either.

Try Microsoft’s oldest trick. Reboot

Mark_Wonsil · June 2, 2024, 2:21pm

Maybe try a .NET 6 Web Bundle repair. Throwing darts here.

klincecum · June 2, 2024, 2:25pm

And of course, check the event logs on the server.

Maybe post the steps you made here as well so someone here can see if there is something you missed.

You have any load balancers or other wonky things in the loop?

TDray · June 2, 2024, 4:21pm

OK, starting at the beginning probably is most helpful and giving the steps I took.

We were using a certificate from GoDaddy. It expired Friday. They sent me a new zip file containing two .crt files and a .pem file as well as the instructions here:

Manually install an SSL certificate on my IIS 10 server | SSL Certificates - GoDaddy Help US

I was able to work through all their instructions until it came time to install the SSL certificate on the server. Go into IIS, into server certificates, complete certificate request, add friendly name, etc. Choose web hosting in the certificate store. Looks great, go to bind the certificate and it has disappeared from the server certificates. Do it again, same results.

Install it in the personal store, and it now appears for binding the SSL cert to the “website” and does not disappear from the server certificate list. Installed in the personal store, it works on the server.

Tried installing locally on the workstation as well but does not allow workstation to open Epicor. This is not a self-signed cert, it is signed by GoDaddy, but I’d be willing to install it locally on every workstation if I have to as long as I can get it to actually work.

TDray · June 2, 2024, 4:22pm

Not really familiar with this but if you think it’s worth a shot, I’ll give it a try. I did add some more information as to what I did if that helps at all.

TDray · June 2, 2024, 4:23pm

I rebooted so many times that the computer got whiplash.

Mark_Wonsil · June 2, 2024, 5:15pm

Usually, a bad cert won’t make the server crash. There was also a Windows update over the last couple of weeks, so…

TDray · June 2, 2024, 5:29pm

Server did not crash. I may have implied something I did not intend. Network, servers and workstations are working fine except for loading Epicor on a workstation.

Mark_Wonsil · June 2, 2024, 5:34pm

Sorry, a 5XX error message means the application crashed. I was using server in the web server context. Sorry about that.

TDray · June 3, 2024, 7:49pm

In order to fix this, we ended up exporting the cert from the server. We then had to install the server locally for each user under the user account in Root Certificate Authority. We then had to change the config files to point to the new app server and copy that to all the machines.

I’m sure since this is a GoDaddy cert we shouldn’t have had to do this, especially since this is not what we did with the previous cert, but it’s what Epicor support came up with and it works, even if I have to do it for each user and machine.

Mark_Wonsil · June 3, 2024, 7:55pm

Ouch. We use GoDaddy certs as well and haven’t had to do this.

Normally, when the certs didn’t work, we’d see a 401 or 403.

klincecum · June 3, 2024, 8:05pm

Did you contact GoDaddy? This could be their problem.

TDray · June 4, 2024, 11:15am

I did not because the only thing that was having issues with the certs was Epicor and also because I assumed that if there was any way it wasn’t their fault, support would have quickly offloaded the problem and told me to call someone else.

WendyB · August 26, 2024, 4:51pm

I’ve got a similar situation here. We had been using a self-signed certificate and of course it doesn’t work when you try to open Epicor in a browser – which we don’t typically do anyway so it wasn’t a huge deal. The client installs all work and everything was mostly happy.

Then we decided to implement ECM - which I understand is accessed through a browser even if Epicor is on-prem? So, after much confusion and delay, we have a new cert that is not self signed and it’s installed on our server. I went in and edited the bindings in IIS to select the new certificate and that worked fine – as long as I’m on the server. When I go to a client workstation , Epicor won’t open and I get a “could not establish a trust relationship for the SSL/TLS channel”. Because this had happened before, I installed the new certificate on the client machine as this had worked in the past. Not this time. I opened a ticket with support and they sent me 2 KB articles about exporting a self signed cert and adding a cert to client workstation … so no help there. Now they’ve asked me to check for duplicate certificates… I have…there aren’t any… so not sure what to do next.

CSmith · August 26, 2024, 5:08pm

Self signed certs work fine IF they are added to the workstation’s Trusted Root Certification Authorities and generated properly. Note: Usually browser must be fully restarted to see the added cert.

Mark_Wonsil · August 26, 2024, 5:25pm

And the Fully Qualified Domain Name on the cert matches exactly what you’re typing in the browser? erp.totalfirenc.com or ecm.totalfirenc.com for example?

Topic		Replies	Views
Error while setup application server Kinetic 11.2 Kinetic ERP	3	1203	December 6, 2022
Could not establish trust relationship for the SSL/TLS secure channel Kinetic ERP	6	8369	April 26, 2023
Some machines don't log into Kinetic 2022.2 Kinetic ERP epicor	26	4165	January 26, 2023
Broke old versions installing new version Epicor ERP 10 e10	3	764	January 31, 2023
SSL/TLS Certificate Setup Issue Kinetic ERP	25	6163	October 6, 2022

The remote certificate is invalid

Related Topics