I have an ASP.NET Core software that periodically sends an HTTP request to the webservice of a customer of ours. I've been working on the software on my machine and everything went smoothly. Now that I've released it on OpenShift, I get an error during the HTTP connection:
Exception: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'api.example.com'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
(Line breaks added by me for better readability; of course api.example.com is fake)
Running openssl s_client -connect api.example.com:443 -prexit returns no error. I can see the certificate chain and I can identify the CAs.
The HTTP connection is created behind the scenes by the Connected Service's proxy class (it's a WSDL service), so I'm not sure how to fiddle with its properties.
Where should I mark the certificates as trusted roots? I guess in the Docker container. Should I do it in my application? How?
openssl s_clientdisplayedVerify return code: 0 (OK)or only that its exit status ($?in most Unix,%errorlevel%in CMD,$LastExitCodein PS) was zero? Unlike most programs that make TLS connections,openssl s_clientdoes NOT exit with error status for an invalid certificate by default; it does so only if you specify-verify_return_error.Verify return code: 0 (OK).