The SSL connection could not be established

[jonny-xhl]

I local debug is ok,but publish to IIS is error.
Don't use ocelot is ok,when I use upstream to get is error.

My logs details

warn: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
      requestId: 0HLNESHAE1B8L:00000003, previousRequestId: no previous request id, message: Error making http request, exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
         at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
         at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
         at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
      --- End of stack trace from previous location where exception was thrown ---
         at System.Net.Security.SslState.ThrowIfExceptional()
         at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
         at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
         at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
         at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
         at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
      --- End of stack trace from previous location where exception was thrown ---
         at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
         --- End of inner exception stack trace ---
         at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
         at System.Threading.Tasks.ValueTask`1.get_Result()
         at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         at System.Threading.Tasks.ValueTask`1.get_Result()
         at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
         at System.Threading.Tasks.ValueTask`1.get_Result()
         at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
         at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
         at Ocelot.Requester.HttpClientHttpRequester.GetResponse(DownstreamContext context)

ocelot.json

{
  "ReRoutes": [
    //identityserver4  token
    {

      "DownstreamPathTemplate": "/connect/token",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": "5001"
        }
      ],
      "UpstreamPathTemplate": "/auth/token",
      "UpstreamHttpMethod": ["Post"],
      "UseServiceDiscovery": true,
      "DangerousAcceptAnyServerCertificateValidator": false
    },
    // API:Service1
    {
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "service1Identity",
        "AllowedScopes": []
      },
      "DownstreamPathTemplate": "/api/{url}",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": "5011"
        }
      ],
      "UpstreamPathTemplate": "/Service1/{url}",
      "UpstreamHttpMethod": [ "Get", "Post" ],
      "UseServiceDiscovery": true,
      "DangerousAcceptAnyServerCertificateValidator": false
    },
    // API:Service2
    {
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "service2Idnetity",
        "AllowedScopes": []
      },
      "DownstreamPathTemplate": "/api/{url}",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": "5021"
        }
      ],
      "UpstreamPathTemplate": "/Service2/{url}",
      "UpstreamHttpMethod": [ "Get", "Post" ],
      "UseServiceDiscovery": true,
      "DangerousAcceptAnyServerCertificateValidator": false
    }
  ],
  "GlobalConfiguration": {
    "ServiceDiscoveryProvider": {
      "Host": "192.168.1.186",
      "Port": 8500,
      "Type": "Consul"
    },
    "RateLimitOptions": {
      "ClientIdHeader": "client_id",
      "QuotaExceededMessage": "Too Many Requests!!!",
      "DisableRateLimitHeaders": false
    }
  }
}

[yuft]

it clearly says 'The remote certificate is invalid according to the validation procedure'.

Did you check if SSL certificate is valid or not?

E.g. open a endpoint with Chrome and see what Chrome says. https://localhost:5001

[jonny-xhl]

I open a endpoint with Chrome is not an effective secure connection,but I can get data by clicking on Continue Link.

[yuft]

see #309 #325 ,

set DangerousAcceptAnyServerCertificateValidator in ReRoute config and this will ignore SSL errors, false by default.

[jonny-xhl]

see #309 #325 ,

set DangerousAcceptAnyServerCertificateValidator in ReRoute config and this will ignore SSL errors, false by default.

I set DangerousAcceptAnyServerCertificateValidator false,but also error.

[jonny-xhl]

see #309 understand it.
The code is in the company and will only be tested tomorrow.

[v2codes]

maybe you need to set DangerousAcceptAnyServerCertificateValidator = true,if you want to ignore SSL validation

[naruto1227]

Is there an answer to this question?

[naruto1227]

[nemanjapyr]

have you managed to get around this issue yet?

i seem to be running into the same issue and using DangerousAcceptAnyServerCertificateValidator = true doesn't resolve it either.

[naruto1227]

I also set DangerousAcceptAnyServerCertificateValidator = true, but it has no effect

[57575]

try modify your downStreamScheme to "http"

[harshwd]

I am having same issue, any resolution?

[ahmedtolba1984]

@harshwd
Did you solve the issue as we currently face the same issue with the same stacktrace?

[raman-m]

@zhanghaiboshiwo @ahmedtolba1984 @harshwd @57575 @v2codes @jonny-xhl
Please, verify this fix if you're using WebSockets:

• #1375 #1237 #925 #920 Fix DownstreamRoute DangerousAcceptAnyServerCertificateValidator #1377