By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,376 Members | 1,566 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,376 IT Pros & Developers. It's quick & easy.

https, certificates, and: The underlying connection was closed: An unexpected error occurred on a send.

P: n/a
hello,

i am developing an ASP.NET web app that consumes a 3rd party vendor
webservice. it is my first one so while ive done my homework, im not an
expert on the matter.

our partner's webservice operates on SSL via an "https://" url. they
also gave me a .PFX certificate which ive installed via window's MMC
utility, into the "Computer account"'s Personal store; as indicated by
articles id found. i then export a .CER to the filesystem which my
C#.NET picks up. lastly, we attach our username/pw credentials. the
relevant code:

//costco webservice proxy object
PartnersProxyClass ws = new PartnersProxyClass();

//load certificate for costco intranet account
X509Certificate cert =
X509Certificate.CreateFromCertFile("c:\temp\foo.ce r");

//add cert to ws
ws.ClientCertificates.Add(cert);

//add authentication info to ws
ws.Credentials = new NetworkCredential("foo_user", "foo_pw");

//hit ws and get a returned obj
WsMember member = ws.read(customerID);

....this works on my Windows XP dev machine, as well as on our Windows
2000 test machines. however, when we publish it to our Windows 2000
production webfarm, operating on BigIP, it does work. .NET reports this
on the .read() attempt:

"The underlying connection was closed: An unexpected error occurred on
a send."

....and, looking into our event log, i see this:

"The SSL client credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This
message can also indicate a certificate enrollment failure."

i dont have access to the machine (big company) to try hitting the URL
via IE. however, i *did* write & install a command-line (DOS) .NET
program that does a simple test and hits the webservice serveral times
using the same code. *it works!* but our ASP.NET does not. this seems
key.

....i am trying to figure out what it all means and how to fix it. ive
read a dozen posts or so, and am exploring those options. but if anyone
can relate to our situation, i would appreciate it.
thanks!
matt

--
Matt Del Vecchio
Programmer Analyst
(619) 358-7556

Nov 23 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Most probably, the ASPNET process identity does not have permissions to read
the certificate.

can you try the steps given at this url?

http://blogs.msdn.com/adarshk/archiv...19/187667.aspx

--
feroze

-----------------
This posting is provided as-is. It offers no warranties and assigns no
rights.

See http://weblogs.asp.net/feroze_daud for System.Net related posts.
----------------

<Ma****************@CapitalOneAuto.com> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
hello,

i am developing an ASP.NET web app that consumes a 3rd party vendor
webservice. it is my first one so while ive done my homework, im not an
expert on the matter.

our partner's webservice operates on SSL via an "https://" url. they
also gave me a .PFX certificate which ive installed via window's MMC
utility, into the "Computer account"'s Personal store; as indicated by
articles id found. i then export a .CER to the filesystem which my
C#.NET picks up. lastly, we attach our username/pw credentials. the
relevant code:

//costco webservice proxy object
PartnersProxyClass ws = new PartnersProxyClass();

//load certificate for costco intranet account
X509Certificate cert =
X509Certificate.CreateFromCertFile("c:\temp\foo.ce r");

//add cert to ws
ws.ClientCertificates.Add(cert);

//add authentication info to ws
ws.Credentials = new NetworkCredential("foo_user", "foo_pw");

//hit ws and get a returned obj
WsMember member = ws.read(customerID);

...this works on my Windows XP dev machine, as well as on our Windows
2000 test machines. however, when we publish it to our Windows 2000
production webfarm, operating on BigIP, it does work. .NET reports this
on the .read() attempt:

"The underlying connection was closed: An unexpected error occurred on
a send."

...and, looking into our event log, i see this:

"The SSL client credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This
message can also indicate a certificate enrollment failure."

i dont have access to the machine (big company) to try hitting the URL
via IE. however, i *did* write & install a command-line (DOS) .NET
program that does a simple test and hits the webservice serveral times
using the same code. *it works!* but our ASP.NET does not. this seems
key.

...i am trying to figure out what it all means and how to fix it. ive
read a dozen posts or so, and am exploring those options. but if anyone
can relate to our situation, i would appreciate it.
thanks!
matt

--
Matt Del Vecchio
Programmer Analyst
(619) 358-7556

Nov 23 '05 #2

P: n/a
Most probably, the ASPNET process identity does not have permissions to read
the certificate.

can you try the steps given at this url?

http://blogs.msdn.com/adarshk/archiv...19/187667.aspx

--
feroze

-----------------
This posting is provided as-is. It offers no warranties and assigns no
rights.

See http://weblogs.asp.net/feroze_daud for System.Net related posts.
----------------

<Ma****************@CapitalOneAuto.com> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
hello,

i am developing an ASP.NET web app that consumes a 3rd party vendor
webservice. it is my first one so while ive done my homework, im not an
expert on the matter.

our partner's webservice operates on SSL via an "https://" url. they
also gave me a .PFX certificate which ive installed via window's MMC
utility, into the "Computer account"'s Personal store; as indicated by
articles id found. i then export a .CER to the filesystem which my
C#.NET picks up. lastly, we attach our username/pw credentials. the
relevant code:

//costco webservice proxy object
PartnersProxyClass ws = new PartnersProxyClass();

//load certificate for costco intranet account
X509Certificate cert =
X509Certificate.CreateFromCertFile("c:\temp\foo.ce r");

//add cert to ws
ws.ClientCertificates.Add(cert);

//add authentication info to ws
ws.Credentials = new NetworkCredential("foo_user", "foo_pw");

//hit ws and get a returned obj
WsMember member = ws.read(customerID);

...this works on my Windows XP dev machine, as well as on our Windows
2000 test machines. however, when we publish it to our Windows 2000
production webfarm, operating on BigIP, it does work. .NET reports this
on the .read() attempt:

"The underlying connection was closed: An unexpected error occurred on
a send."

...and, looking into our event log, i see this:

"The SSL client credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This
message can also indicate a certificate enrollment failure."

i dont have access to the machine (big company) to try hitting the URL
via IE. however, i *did* write & install a command-line (DOS) .NET
program that does a simple test and hits the webservice serveral times
using the same code. *it works!* but our ASP.NET does not. this seems
key.

...i am trying to figure out what it all means and how to fix it. ive
read a dozen posts or so, and am exploring those options. but if anyone
can relate to our situation, i would appreciate it.
thanks!
matt

--
Matt Del Vecchio
Programmer Analyst
(619) 358-7556

Nov 23 '05 #3

P: n/a
i thought that may have been it as well, but it wasnt. i used
winhttpcertconfig to check the permissions. when that is the case, it
gives a different error. namely, "403: Access is forbidden" -- not the
one i was experiencing.

my next step was to disable the keep-alives in our proxy class as
recommended, and set httpprotocol to 1.0. that then produced this
error:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS."

....interesting. so then i inspected the .PFX w/ embedded private key
given to us by our partner.. in MMC when double-clicking, i saw this:

[yellow exclaimation triangle ("!")] "Windows does not have enough
information to verify this certificate."

then at the bottom, "You have a private key that corresponds to this
certificate."

oh oh. this last message was the key -- our certificate should NOT have
had any errors or alerts whatsoever. working w/ MS, they identified
part of the problem: we didnt have a Certificate Authority ("CA") cert
installed for our partner-provided cert. they forgot to give us one
that had both the normal cert & the CA needed to verify it!

once i received the CA cert from our partner, that took care of the
problem ("The underlying connection was closed: Could not establish
secure channel for SSL/TLS").

what i cannot say, is whether that would have taken care of the
original error ("The underlying connection was closed: An unexpected
error occurred on a send"). i suspect it would not have... i cant test
because the server is off-limits to me now, but im thinking disabling
keep-alives took care of that first error, thus paving way for our
second error, the lacking CA.

fun.
matt

Nov 23 '05 #4

P: n/a
i thought that may have been it as well, but it wasnt. i used
winhttpcertconfig to check the permissions. when that is the case, it
gives a different error. namely, "403: Access is forbidden" -- not the
one i was experiencing.

my next step was to disable the keep-alives in our proxy class as
recommended, and set httpprotocol to 1.0. that then produced this
error:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS."

....interesting. so then i inspected the .PFX w/ embedded private key
given to us by our partner.. in MMC when double-clicking, i saw this:

[yellow exclaimation triangle ("!")] "Windows does not have enough
information to verify this certificate."

then at the bottom, "You have a private key that corresponds to this
certificate."

oh oh. this last message was the key -- our certificate should NOT have
had any errors or alerts whatsoever. working w/ MS, they identified
part of the problem: we didnt have a Certificate Authority ("CA") cert
installed for our partner-provided cert. they forgot to give us one
that had both the normal cert & the CA needed to verify it!

once i received the CA cert from our partner, that took care of the
problem ("The underlying connection was closed: Could not establish
secure channel for SSL/TLS").

what i cannot say, is whether that would have taken care of the
original error ("The underlying connection was closed: An unexpected
error occurred on a send"). i suspect it would not have... i cant test
because the server is off-limits to me now, but im thinking disabling
keep-alives took care of that first error, thus paving way for our
second error, the lacking CA.

fun.
matt

Nov 23 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Browse more .NET Framework Questions on Bytes