C# Octopus.Client https-call triggers "invalid certificate" error

Hi Support!

I’ve created a few command line tools in C#. But since I’ve moved to an https-based octopus server, I can’t use them anymore. We’re using a self-signed intranet certificate, used by all kinds of other servers in our company. See below.

Do you have any ideas on how I can circumvent the certificate issue?


string api_key = “FOO_BAR”;
string octopus_server = “https://my.octopus.server/”;

var endpoint = new OctopusServerEndpoint(octopus_server, api_key);
var repository = new OctopusRepository(endpoint);

Unhandled Exception: System.Exception: Unable to connect to the Octopus Deploy server. See the inner exception for details. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

What you may be looking for is the ability to ignore ssl verification. There are a few examples around the interwebs that might be of help.

This approach should be able to be set in your app and take effect globally. You can make it more complex to handle specifically these certificates or endpoints.

    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

Typically when we see internal self-signed certificates used within an intranet (as opposed to one used for purely local development), it is common for the root certificates to still be added to the networked machine’s certificate store. This way all other code on the system functions normally. You can add a self-signed root certificate as a windows security policy, or even get free signed ones by organisations like lets-encrypt.

Hope this helped

Hi Robert!

Many thanks to you finger pointing in the right direction - with a little amendment it worked perfectly. My code now has this line:

            += (sender, cert, chain, sslPolicyErrors) => true;

Using another certificate isn’t an option, so I’m told so this works just fine.

I bow to your wisdom! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.