0
votes

This should be a snap for anyone who's done it before...

I'm trying to set up a self-hosted WCF service using NetTcpBinding. I got a trial SSL certificate from Thawte and successfully installed that in my IIS store, and I think I've got it correctly set up in the service - at least it doesn't exception out on me!

Now, I'm trying to connect the client (this is still all on my dev machine), and it's giving me an error, "Message = "The X.509 certificate CN=ssl.mydomain.com, OU=For Test Purposes Only. No assurances., OU=IT, O=My Company, L=My Town, S=None, C=IL chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Ooookeeeey... now what?

Client code (I want to do this in code, not app.config):

var baseAddress = "localhost";
var factory = new DuplexChannelFactory<IMyWCFService>(new InstanceContext(SiteServer.Instance));
factory.Endpoint.Address = new EndpointAddress("net.tcp://{0}:8000/".Fmt(baseAddress));
var binding = new NetTcpBinding(SecurityMode.Message);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
factory.Endpoint.Binding = binding;
var u = factory.Credentials.UserName;
u.UserName = userName;
u.Password = password;
return factory.CreateChannel()

Added Bounty I've just got myself a new trial certificate from Thawte, installed it with the "issued to" set to mydomain.com, and I'm still getting the error above. I'm a newbie to web security, so I'll need detailed instructions how to get a client to connect to my website and accepting the security certificate. (BTW, what does "No assurances" mean?)

4
Can you confirm that the X.509 cert details in the error message correspond to the service SSL certificate you have described installing? Which line of the code throws the exception? What is the exception stack trace?Chris Dickson

4 Answers

3
votes

The problem seems to be that the server certificate you have installed on your server is not trusted by the client.

For it to be trusted the root CA certificate of the server certificate needs to be in the "Trusted Root Certification Authorities" store of the user running the client. If you get a "production" level server certificate from Thawte or some other similar CA it will already be trusted by most machines in the world.

However, judging by the error message (where the subject distinguished name of the certificate contains "OU=For Test Purposes Only. No assurances.") your certificate is a test certificate and you therefore need to add the CA certificate to your "Trusted Root Certification Authorities" store manually. The root certificate can usually be downloaded from the CA's (Thawte in your case) website.

3
votes

If the certificate is for ssl.mydomain.com you need to acces the server at that adress. It seems like you are trying to acces it through localhost, which obvisouly is not the same.

1
votes

The problem is the issuer of your certificate is not trusted.

WCF will try to verify the chain of certificates. One solution is to make sure the certificate used to issue the one you have is stored in the trusted issuers store of the server.

You could also add a custom certificate policy to bypass validation on your development env (as explained here)

You could also put your certificate in the 'Trusted People' stored and set the certificateValidationMode to ChainOrPeerTrust. This will try to validate the complete chain unless you put the certificate into the 'Trusted People' store. This would allow you to leave the configuration and code untouched for the deployment to production env. You will simply put your certificate in the 'Trusted People' store in your development env.

0
votes

in .net core 2.0 we have to do this from nuget package manager search for System.ServiceMode you can use System.ServiceModel.primitives.

updated as of april 2018