The client is failing to make an HTTPS request with the error message “The remote certificate is invalid according to the validation procedure.”

The client doesn’t trust the certificate on the server. Every time I’ve seen this error message it’s come from a self-signed certificate that the server is configured to use.

A Workaround To Avoid

There’s a hack workaround that you’ll see in some .Net code that makes the client stop reporting this issue.

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

We want to avoid this though, for a couple of reasons:

  • It bypasses the certificate validation altogether, so a man in the middle attack has a higher chance of succeeding.
  • If you did just want to bypass validation for 1 API call, you can’t because it’s a global setting in the application.

Trust Me, I’m a .. Server

The way to fix it is to get the client to trust the server’s certificate. This can be done in a couple of ways on Windows:

  • Import the server’s self-signed certificate into the client’s Trusted CA Store.
    • You’ll have to perform this import every time the self-signed certificate expires, so we’d want to avoid this as a long-term solution. It might be what you need to get development going though.
  • Use a certificate generated by a CA (Certificate Authority) that’s already in the client machine’s Trusted CA Store.
    • There are lots that are available by default on Windows machines, and maintained by Windows Update. You can secure a certificate of this type for the open internet from Comodo, GoDaddy, Entrust, …
    • If you’re in an enterprise domain, you may want to look into creating a Root CA, maintained by group policy, and generate TLS certificates based on that root certificate