Gravatar for nstephens@hhogdev.com

Question by nickstephens, Oct 8, 2015 3:09 PM

Could not establish trust relationship for SSL\TLS

We're completing a large roll out of Coveo across multiple servers. We've been following the provided documentation for how to configure Coveo for Sitecore without running the setup wizard through Sitecore. We've also followed the standard installation documentation for installing CES. As a part of that install, we elected to secure the Admin Service.

We are currently not able to access Control Panel -> Indexing to rebuild the indexes. This is a key step, based on the documentation, in order to have CES establish the connection to Sitecore and generate the correct certificates which will then be used to configure the Search API.

Any ideas as how to begin diagnosing this error?

The error that I'm receiving is below:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '[Server]'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Coveo.AdminService.AdminService.IAdminService.Authenticate(String p_Username, String p_Password)
   at Coveo.AdminService.AdminServiceAuthenticatedCallPerformer.PerformCall[T](Func`1 p_Call)
   at Coveo.AdminService.AdminServiceClientWrapper.PerformAdminServiceCall[T](Func`1 p_Func)
   at Coveo.AdminService.AdminServiceClientWrapper.IsSecurityProviderHealthy(String p_SecurityProviderName)
   at Coveo.SearchProvider.Applications.StateVerifier.<>c__DisplayClass13.<GetSecurityProviderState>b__12()
   at Coveo.SearchProvider.Applications.BaseVerifier.VerifyComponent(Func`1 p_VerifyMethod, String p_ComponentName)

The stack trace in the Sitecore log is:

10780 14:10:49 ERROR An error while Initializing occurred
Exception: System.ServiceModel.Security.SecurityNegotiationException
Message: Could not establish trust relationship for the SSL/TLS secure channel with authority '[server]'.
Source: mscorlib
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Coveo.AdminService.AdminService.IAdminService.Authenticate(String p_Username, String p_Password)
at Coveo.AdminService.AdminServiceAuthenticatedCallPerformer.PerformCall[T](Func`1 p_Call)
at Coveo.AdminService.AdminServiceClientWrapper.PerformAdminServiceCall[T](Func`1 p_Func)
at Coveo.AdminService.AdminServiceClientWrapper.IsFirstTimeSetupDone()
at Coveo.AbstractLayer.Communication.CES.AdminModule.InitializeCes()
at Coveo.AbstractLayer.Communication.CES.CESCommunication.InitializeCes()
at Coveo.SearchProvider.ProviderIndexBase.Initialize(IIndexDocumentPropertyMapper`1 p_DocumentTypeMapper)
Nested Exception
Exception: System.Net.WebException
Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Source: System
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
Nested Exception
Exception: System.Security.Authentication.AuthenticationException
Message: The remote certificate is invalid according to the validation procedure.
Source: System
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
10780 14:10:49 ERROR Error loading hook:
Exception: System.Reflection.TargetInvocationException
Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
at Sitecore.Configuration.Factory.AssignProperties(Object obj, Object[] properties)
at Sitecore.Configuration.Factory.AssignProperties(XmlNode configNode, String[] parameters, Object obj, Boolean assert, Boolean deferred, IFactoryHelper helper)
at Sitecore.Configuration.Factory.CreateObject(XmlNode configNode, String[] parameters, Boolean assert, IFactoryHelper helper)
at Sitecore.Configuration.Factory.CreateObject(String configPath, String[] parameters, Boolean assert)
at Sitecore.ContentSearch.ContentSearchManager.get_SearchConfiguration()
at Sitecore.ContentSearch.Hooks.Initializer.Initialize()
at Sitecore.Events.Hooks.HookManager.LoadAll()
Nested Exception
Exception: System.ServiceModel.Security.SecurityNegotiationException
Message: Could not establish trust relationship for the SSL/TLS secure channel with authority '[server]'.
Source: mscorlib
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Coveo.AdminService.AdminService.IAdminService.Authenticate(String p_Username, String p_Password)
at Coveo.AdminService.AdminServiceAuthenticatedCallPerformer.PerformCall[T](Func`1 p_Call)
at Coveo.AdminService.AdminServiceClientWrapper.PerformAdminServiceCall[T](Func`1 p_Func)
at Coveo.AdminService.AdminServiceClientWrapper.IsFirstTimeSetupDone()
at Coveo.AbstractLayer.Communication.CES.AdminModule.InitializeCes()
at Coveo.AbstractLayer.Communication.CES.CESCommunication.InitializeCes()
at Coveo.SearchProvider.ProviderIndexBase.Initialize(IIndexDocumentPropertyMapper`1 p_DocumentTypeMapper)
at Coveo.SearchProvider.ProviderIndex.Initialize()
at Coveo.SearchProvider.Configuration.CoveoSearchConfiguration.AddIndex(ISearchIndex p_Index)
Nested Exception
Exception: System.Net.WebException
Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Source: System
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
Nested Exception
Exception: System.Security.Authentication.AuthenticationException
Message: The remote certificate is invalid according to the validation procedure.
Source: System
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Oct 8, 2015 5:07 PM

  1. Did you read he other answers on the same subject? https://search.coveo.com/#q=Could%20not%20establish%20trust%20relationship%20for%20SSL%5CTLS&sort=relevancy&f:sourceFacet=[Answers]
  2. Did you read the documentation topics that mention this error? https://search.coveo.com/#q=Could%20not%20establish%20trust%20relationship%20for%20SSL%5CTLS&sort=relevancy&f:sourceFacet=[Confluence%20-%20Developers]&f:spaceFacet=[Sitecore%20Integration%203.0%20October%202015%20Release]
Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Oct 8, 2015 5:08 PM

  1. What's your Sitecore version (Major.Minor Update)?
  2. What's your Coveo Enterprise Search 7.0 build version?
  3. What's your Coveo Search API 8.0 build version?
  4. What's your Coveo for Sitecore 3.0 version (complete file name of the zip package file)?

Thanks

Gravatar for nstephens@hhogdev.com

Comment by nickstephens, Oct 8, 2015 5:15 PM

Yes, I reviewed those same answers however they do not apply to the issue I'm facing.

Actually, I did stumble upon mention of this issue in a piece of unrelated documentation on Upgrading Coveo for Sitecore. https://developers.coveo.com/display/public/SC201410/Upgrading+Coveo+for+Sitecore

The issue we are currently investigating is the difference between the hostnames on the cert generated by the Admin Service and what's stored in the SearchProvider.config. I didn't see mention of this caveat in the actual Installation of Coveo for Sitecore documentation.

1 Reply
Gravatar for jflheureux@coveo.com

Answer by Jean-François L'Heureux, Oct 15, 2015 2:17 PM

This problem was troubleshooted in a support call. Here's the findings:

nickstephens automated the Coveo Admin Service certificate creation, binding to the 443 (HTTPS) port, copy to the Sitecore CMS server and addition to the certificate store of the Sitecore CMS server as well as the configuration of the Admin service URI, username and password.

We found that the certificate bound to the 443 port for the Coveo Admin Service didn't have the same thumbprint as the certificate added to the Sitecore CMS sertificate store.

After copying and adding the right certificate (the one used by the 443 port binding) to the Sitecore CMS server, the problem was resolved.

Thanks,

Jeff

Ask a question