41
votes

I'm getting this error while attempting to make my WCF client and server talk to each other.

The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust.

Everything works perfectly if I turn SSL certificates off.

8

8 Answers

36
votes

There is a problem with your certificate (I suppose you use self-signed cert) WCF tries to verify all the chain of issuers and expects, that finally chain would end on root trusted authority. To disable that check you could add such line to app.config branch. But this "crutch" shouldn't be used in production serviceBehaviors/behavior/serviceCredentials/clientCertificate

<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
41
votes

I fixed the problem by turning off validation in my code like this:

client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = 
System.ServiceModel.Security.X509CertificateValidationMode.None;

Where client is an instance of my service reference.

9
votes

The correct thing to do is to setup your own Dev/Test Trusted Root Certificate and sign your client and service certificates with this.

Bypassing chain trust in your Dev/Test environment may "work" but your Dev/Test environment is now configured differently to Production, which is not a great idea as you may find some tests produce false positives or false negatives.

4
votes

Add endpoint behavior in your client application(e.g:App.config) and set the behavior configuration you added in the endpoint.

 <behaviors>
          <endpointBehaviors>
            <behavior name="certificateEndpointBehavior">
              <clientCredentials>
                <serviceCertificate>             
                  <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
                </serviceCertificate>
                </clientCredentials>      
            </behavior>
          </endpointBehaviors>
        </behaviors>

<endpoint address="http://localhost/Invoice.svc" binding="wsHttpBinding"  bindingConfiguration="WsHttpBinding_ACKS" contract="Invoice" name="Invoice"
       behaviorConfiguration="certificateEndpointBehavior" >

</endpoint>
3
votes

I had some difficulty with this same exact issue. I was using the CustomToken-VS2010 sample from the WIF SDK.

The sample doesn't have an app.config and I felt that knowing how the code works is useful anyway, so I spent some time investigating this. I feel I should show my results here. I hope this inforamation is helpful.

I had the same issue. The problem I had was "where do I set this mode?" I had a difficult time finding the object that had this property to set that was actually the correct object. I finally found it as part of the ChannelFactory:

using System.ServiceModel.Security;
:
ChannelFactory<IEcho> echoChannelFactory = new ChannelFactory<IEcho>(...)
echoChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

So, the place to set this is in the ChannelFactory object.

Running Visual Studio 2010 as local administrator, I was able to get the sample to work (after having also run the batch file associated with all the samples to create the certificate, etc.)

Again, this is not something you would do in a production environment, but knowing how to set the service certificate authentication mode is probably a pretty good thing to know overall.

2
votes

When deactivating the revocationMode helped, then most likely you are missing a client revocation list for your root CA.

makecert -crl -n "CN=CARoot" -r -sv CARoot.pvk CARoot.crl

This also needs to be imported to the trusted root certification authorities. See also my answer here.

0
votes

(Thought i would share this just in case it saves somebody out there some time) I ran into into this issue while running a web application on WIF. I fixed my problem by moving a copy of the x.509 certificate i was working with from "Certificates/personal/certificates" folder to "Trusted Root Certification Authorities/Certificates" Folder inside the certificate store. You can do this by running microsoft management console

0
votes

Following on from Aseiu's comment above, I found that the exact same error above will be output when the cert is missing from the trusted store in the server. In researching into the issue, I also found that by looking at the event viewer under Windows Logs/Application will contain an error that details the certificate that it is having a problem with. You can also correlate the activity log with the entries in the SVC log for the service.