You are viewing limited content. For full access, please sign in.

Question

Question

Forms Multi-Server Configuration Utility says my certificate is invalid

Forms Version 11
Updated May 12
asked on May 9, 2024

I am testing the new Forms Multi-Server Configuration Utility. When I run it on my DMZ server it gives the error:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel... The remote certificate is invalid according to the validation procedure"

I have copied the certificate from the Internal Primary Forms server to the DMZ server and opened it and it shows as being valid, so why would the Utility say it isn't? This is happening with two different sets of servers.

0 0

Answers

APPROVED ANSWER
replied on January 2 Show version history

Update April 8, 2025:

This issue has been fixed in the Forms 12 Spring 2025 Release: Accept the untrusted certificate set on the IIS server when validating the certificate used for WCF connections. (BugID: 565802)

You can see other changes from: Laserfiche 12 Release Information

Get the latest Laserfiche Forms 12 package from: Laserfiche 12 - Downloads

-------

We resolved this through a support case after digging through the source code to figure out exactly which function was resulting in this exception. The next release of the utility will contain an update that eliminates this misleading error.

Long story short:

If you see the error:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at DMZConfigurationUtility.DMZConfignUtility.<ValidateCertificate>d__28.MoveNext()

This is NOT about the client certificate you're trying to configure, it's about the local https/443 certificate on the machine on which you're running the utility. Incredibly deceptive, in context. If there's a client certificate error, you should see the string "ERROR: Invalid certificate."

I'm going to share the function here, because it's helpful in understanding what goes wrong:

		private async Task ValidateCertificate(string thumbprint)
		{
			DMZConfigFileLogger.Current.LogTrace("Validating IIS access to certificate's private key.", "ValidateCertificate");

			var localFqdn = Dns.GetHostEntry("LocalHost").HostName;
			var URL = $@"https://{localFqdn}/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint={thumbprint.ToLower()}";
			HttpClient client = new HttpClient();
			client.BaseAddress = new Uri(URL);
			client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
			HttpResponseMessage response = await client.GetAsync("");
			if (response.IsSuccessStatusCode)
			{
				var result = await response.Content.ReadAsStringAsync();
				if (result != "\"Success\"")
				{
					throw new Exception(Resources.ERROR_CERTIFICATE_INVALID, new Exception(result));
				}
			}
			else
			{
				throw new Exception(string.Format(Resources.FAILED_TO_CONNECT, URL, string.Format(Resources.STR_HTTP_STATUS_CODE, response.StatusCode)));
			}
		}

This is the critical bit:

Dns.GetHostEntry("LocalHost").HostName;
var URL = $@"https://{localFqdn}/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint={thumbprint.ToLower()}";

The utility is making an HTTPS request to a web services endpoint for the local Forms IIS instance, passing the client certificate thumbprint as a URL parameter. The URL is constructed using the result of the .NET Dns.GetHostEntry("Localhost") function, which returns the hostname (FQDN if domain-joined) of the local machine.

You can run that exact function in PowerShell with:

[System.Net.Dns]::GetHostEntry("LocalHost")

In a typical DMZ scenario, machine is not domain joined and has a hostname like "FormsDMZ". Which means the constructed URL is:

https://FormsDMZ/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint=ABC123

And the TLS certificate bound to port 443 for IIS likely covers whichever nice DNS alias you're using, like "publicforms.example.com", and NOT the local machine hostname "FormsDMZ". 

The web request to the client certificate validation endpoint above subsequently fails to go through due to the hostname mismatch with the IIS TLS certificate and surfaces the system-level error:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Ironic.

This can also affect the internal/primary Forms instance if you're using an alias (e.g., forms.example.com). and the internal IIS certificate doesn't cover the machine's FQDN hostname (e.g., lfprodweb01.example.com).

As a workaround, you can:

  1. Generate a temporary certificate (self-signed or otherwise) that covers whatever the output of "[System.Net.Dns]::GetHostEntry("Localhost")" is as a Subject Alternative Name (SAN) ("FormsDMZ", etc.).
    1. If your client authentication cert already has the local hostname in its SAN field and also has the Server Authentication role ("Enhanced Key Usage"), you can use it for this purpose.
  2. Trust it on the local machine (if necessary, as with a self-signed cert).
  3. Swap the certificate binding for https/443 in IIS to use this temp cert.
  4. Run the Forms Multi-Server Configuration Utility.
  5. The web request to https://FormsDMZ/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint=ABC123 will pass TLS validation so the actual client certificate check occurs.
  6. Resolve any other issues (open firewall ports to the internal/primary Forms instance, etc.) and complete configuration.
  7. Swap the https/443 certificate back to the original one. Don't forget to do this.

 

We'll get a better way to handle this sorted out in a future update of the utility. In the meantime, the workaround above should get you past the error in these scenarios.

5 0
SELECTED ANSWER
replied on April 8

Hi, this issue has been fixed on Forms 12 Spring 2025 Release: Accept the untrusted certificate set on the IIS server when validating the certificate used for WCF connections. (BugID: 565802)

You can see other changes from: Laserfiche 12 Release Information

Get the latest Laserfiche Forms 12 package from: Laserfiche 12 - Downloads

1 0

Replies

replied on January 2 Show version history

Hey Blake,

What ended up being the problem here? I have a customer who generates certificates for their LFDS machine, and we've always been able to copy it to the DMZ machine and use it without a problem in the various EndpointConfiguration utilities. They have a certificate expiring soon and now I'm worried they'll have to change their method of generating this certificate if this utility isn't going to trust it. 

Update: Worked with Cameron in a support chat and we figured out that the wild card cert used in IIS for TLS in the DMZ (not the certs we were using to establish trust between internal Forms and DMZ forms) was the culprit. We temporarily changed that cert in IIS to the self-signed cert we created for the DMZ server, re-ran the MSCU on the DMZ machine, and it worked. Then changed the cert in IIS back to the functional wild card one. Big shoutout to Cameron on that one!

1 0
APPROVED ANSWER
replied on January 2 Show version history

Update April 8, 2025:

This issue has been fixed in the Forms 12 Spring 2025 Release: Accept the untrusted certificate set on the IIS server when validating the certificate used for WCF connections. (BugID: 565802)

You can see other changes from: Laserfiche 12 Release Information

Get the latest Laserfiche Forms 12 package from: Laserfiche 12 - Downloads

-------

We resolved this through a support case after digging through the source code to figure out exactly which function was resulting in this exception. The next release of the utility will contain an update that eliminates this misleading error.

Long story short:

If you see the error:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at DMZConfigurationUtility.DMZConfignUtility.<ValidateCertificate>d__28.MoveNext()

This is NOT about the client certificate you're trying to configure, it's about the local https/443 certificate on the machine on which you're running the utility. Incredibly deceptive, in context. If there's a client certificate error, you should see the string "ERROR: Invalid certificate."

I'm going to share the function here, because it's helpful in understanding what goes wrong:

		private async Task ValidateCertificate(string thumbprint)
		{
			DMZConfigFileLogger.Current.LogTrace("Validating IIS access to certificate's private key.", "ValidateCertificate");

			var localFqdn = Dns.GetHostEntry("LocalHost").HostName;
			var URL = $@"https://{localFqdn}/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint={thumbprint.ToLower()}";
			HttpClient client = new HttpClient();
			client.BaseAddress = new Uri(URL);
			client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
			HttpResponseMessage response = await client.GetAsync("");
			if (response.IsSuccessStatusCode)
			{
				var result = await response.Content.ReadAsStringAsync();
				if (result != "\"Success\"")
				{
					throw new Exception(Resources.ERROR_CERTIFICATE_INVALID, new Exception(result));
				}
			}
			else
			{
				throw new Exception(string.Format(Resources.FAILED_TO_CONNECT, URL, string.Format(Resources.STR_HTTP_STATUS_CODE, response.StatusCode)));
			}
		}

This is the critical bit:

Dns.GetHostEntry("LocalHost").HostName;
var URL = $@"https://{localFqdn}/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint={thumbprint.ToLower()}";

The utility is making an HTTPS request to a web services endpoint for the local Forms IIS instance, passing the client certificate thumbprint as a URL parameter. The URL is constructed using the result of the .NET Dns.GetHostEntry("Localhost") function, which returns the hostname (FQDN if domain-joined) of the local machine.

You can run that exact function in PowerShell with:

[System.Net.Dns]::GetHostEntry("LocalHost")

In a typical DMZ scenario, machine is not domain joined and has a hostname like "FormsDMZ". Which means the constructed URL is:

https://FormsDMZ/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint=ABC123

And the TLS certificate bound to port 443 for IIS likely covers whichever nice DNS alias you're using, like "publicforms.example.com", and NOT the local machine hostname "FormsDMZ". 

The web request to the client certificate validation endpoint above subsequently fails to go through due to the hostname mismatch with the IIS TLS certificate and surfaces the system-level error:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Ironic.

This can also affect the internal/primary Forms instance if you're using an alias (e.g., forms.example.com). and the internal IIS certificate doesn't cover the machine's FQDN hostname (e.g., lfprodweb01.example.com).

As a workaround, you can:

  1. Generate a temporary certificate (self-signed or otherwise) that covers whatever the output of "[System.Net.Dns]::GetHostEntry("Localhost")" is as a Subject Alternative Name (SAN) ("FormsDMZ", etc.).
    1. If your client authentication cert already has the local hostname in its SAN field and also has the Server Authentication role ("Enhanced Key Usage"), you can use it for this purpose.
  2. Trust it on the local machine (if necessary, as with a self-signed cert).
  3. Swap the certificate binding for https/443 in IIS to use this temp cert.
  4. Run the Forms Multi-Server Configuration Utility.
  5. The web request to https://FormsDMZ/Forms/webapi/v1/WcfSettings/ValidateIISRightsForCertificate?thumbprint=ABC123 will pass TLS validation so the actual client certificate check occurs.
  6. Resolve any other issues (open firewall ports to the internal/primary Forms instance, etc.) and complete configuration.
  7. Swap the https/443 certificate back to the original one. Don't forget to do this.

 

We'll get a better way to handle this sorted out in a future update of the utility. In the meantime, the workaround above should get you past the error in these scenarios.

5 0
replied on May 9, 2024

Hi Blake ,I've had the same issue on a Forms DMZ server too, Laserfiche is very picky on the issuer of the SSL certificates, i found that certificates issued from Sectigo are OK.

 

0 0
replied on May 13, 2024

Our infrastructure team creates a cert for each server.  I am no expert but am wondering if reusing your internal server cert is the issue.  

0 0
View 1 previous reply
replied on May 13, 2024

Emilee, I'm not reusing the cert, I just copied it to the DMZ server to test if the server thinks the cert is valid.

0 0
replied on May 13, 2024

Are you using any DNS or alternative names for your servers?

0 0
replied on May 13, 2024

If your computer thinks the certificate is valid, the rejection must be based on the certificate not being appropriate for the hostname in the https connection. What host name are you using, and how is that included in the certificate?

0 0
replied on May 13, 2024

When I open the internal Forms certificate on the DMZ Forms server it shows as valid. We are thinking it might be an issue with it not being able to check with the revocation server.

0 0
replied on May 15, 2024 Show version history

Hi Blake,

Kindly wonder if you used a wildcard certificate? In this case we have a known issue for FormsMultiServerConfigurationUtility that it will show error. 

ID 506849 FormsMultiServerConfigurationUtility would show error if configure certificate authentication using a certificate with wildcard in subject alternative name

 

You can find current certificate requirement is stated in Laserfiche Forms Multi-Server Configuration Utility - Education Resources

 

If it's not the issue then we might need the log to further debug it, please open up a support ticket and attach the log file.

 

Thanks,

Yuxuan

0 0
replied on May 16, 2024

For the Forms Primary server, we are using a certificate created specifically for that server from an internal CA. I have reviewed the certificate requirements from the PDF, and they all check out.

0 0
replied on June 5, 2024

I have opened a support ticket with my SP.

1 0
replied on June 5, 2024

We now have the firewall open from the DMZ servers to the internal CA servers for ports 80 and 443, but I am still receiving the same error message when testing the utility. Is there any way of knowing what part of the certificate it thinks is invalid?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...