Sitecore ECM: Could not establish trust relationship for the SSL/TLS secure channel

0
votes

I am getting the following error whenever I try to do a Test Connection in Email Campaign Manager.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The following is the error which is recorded in the log

ManagedPoolThread #11 11:41:08 INFO Job started: VerifyMTA
ManagedPoolThread #11 11:41:08 WARN EmailCampaign: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Exception: System.Net.WebException
Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Source: System.Web.Services
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Sitecore.Modules.EmailCampaign.AppsService.AppsService.GetServerApplicationsByApplicationId(Credentials credentials, Guid applicationId)
at Sitecore.Modules.EmailCampaign.Core.Services.AppsServiceClient.IsApplicationPurchased(Guid applicationId)
at Sitecore.Modules.EmailCampaign.Core.MessageTransfer.EmailDeliveryClient.IsPurchased()
at Sitecore.Modules.EmailCampaign.Core.MessageTransfer.EmailDeliveryClient.GetSmtpConfiguration()
at Sitecore.Modules.EmailCampaign.SendingManager.GetSmtpSettings()
at Sitecore.Modules.EmailCampaign.Core.MessageTransfer.MtaChecker.GetSmtpSettings(StringBuilder report, String& error)
at Sitecore.Modules.EmailCampaign.Core.MessageTransfer.RemoteMtaChecker.GetSmtpSettings(StringBuilder report, String& error)

Nested Exception

Exception: System.Security.Authentication.AuthenticationException
Message: The remote certificate is invalid according to the validation procedure.
Source: System
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)


ManagedPoolThread #11 11:41:08 INFO Job ended: VerifyMTA (units processed: )

I am also getting an error in the Connection test option in the Email Delivery tab of Sitecore App Center.

The port numbers 25 and 443 are open in the server to contact the Sitecore app center and the mail server(Default Sitecore Mail Server). I can do 

telnet apps.sitecore.net 443

and it works fine.

I have tried logging out and logging back in; in the Sitecore appcenter as suggested in the some other thread in stackoverflow. But still I am getting this error.

Can anyone suggest a fix to this. Thanks in advance.

3
sslsitecoressl-certificatesitecore6sitecore-ecm
Has it ever worked or is this a new install? You mention the ports are open, but are there any other firewall rules in place that might be blocking the connection?Craig Taylor
@CraigTaylor We had the same problem with our test server and when we opened the ports, it started working but not in the case of this server. When you say firewall blockage, just opening those is sufficient right?Sachin B. R.
I know that different firewalls operate differently, but I believe beyond opening the ports that there could still be rules in place that would prevent communication with the SAC (perhaps an unlikely scenario). Are you able to ping the SAC from that server?Craig Taylor
@CraigTaylor I can't ping SAC in the new server and also the test server where it is working. I can however do telnet apps.sitecore.net 443 in both the servers and it works. I have updated the question with this information.Sachin B. R.
@SachinBR Sorry, but I'm starting to run out of suggestions. Have you contacted Sitecore Support regarding this? They are generally very quick to help resolve these kinds of connection issues.Craig Taylor

3 Answers

1
votes

We contacted Sitecore and we got the following response to troubleshoot the issue

  • Relogin (Log off and log back on) to the App Center Sitecore Application ( that makes the system to update authentication information )

  • Make sure the 'Email Delivery' app in Sitecore App Center has green 'Running' status icon next to it (indicating that the service has been purchased for the current account)

  • Verify connection between ECM (E-mail Campaign Manager) and MTA (Message Transfer Agent) as per recommendations from chapter 3.1.5 from the 'ECM 1.3.3 Administrator's and Developer's Guide' document on SDN available at http://sdn.sitecore.net/Products/ECM/ECM%201,-d-,3/Documentation.aspx

  • In case additional troubleshooting is required set the 'Debug' setting from the 'Sitecore.EmailCampaign.config' file (in the '/App_Config/Include' folder) to 'true'. The setting specified whether verbose logging in Sitecore log files for the ECM is enabled.

  • This can be related to an invalid or expired SSL certificate or because there is a mismatch between the certificate and the site's url (or base URL setting). Please check if these articles can help you:

    Could not establish trust relationship for SSL/TLS secure channel -- SOAP

    http://www.outsystems.com/NetworkForums/ViewTopic.aspx?Topic=Web-Services:-Could-not-establish-trust-relationship-for-the-SSL/TLS

  • Please check that the value of GlobalSettings.RendererUrl setting is equal to your current site hostname. You can use the following code in your layout for this:

    
    protected override void OnLoad(EventArgs e)
    {
    
           Response.Write("GlobalSettings.RendererUrl: "+Sitecore.Modules.EmailCampaign.GlobalSettings.RendererUrl);
           base.OnLoad(e);
    }

  • In addition, please check that Anonymous Access is allowed for your WebSite or ECM requests are not blocked by firewall.

Temporary Fix
As a temporary fix, you can add a call back delegate that always returns true whenever Sitecore tries to verify the remote server certificate. You can do this by adding a function in Global.asax file provided by Sitecore in website folder as explained here . If this solves the issue then it confirms that it is Server certificate issue. This might cause some security issue so dont use it as a permanent solution.

0
votes

Is your application pool running as Network Service? I've seen this error when the IIS worker process can't access the certificates used in the SSL/TSL negotiation.