FtpWebRequest "The remote certificate is invalid according to the validation procedure"

Question

I have a .NET client application that tries to ftp over a file to an FTP site which has a self-signed TLS/SSL certificate. This FTP site is running on Windows 7 Enterprise, IIS 7. I am getting the following error:

The remote certificate is invalid according to the validation procedure

I have tried installing the certificate in the trusted root certificates but that still does not work.

I have used the delegate call back in the code that is mentioned some of the posts here - it works. But I do not want to use that in my production code.

Also in production some of our customers are using self-signed certificates.

Any ideas on how to fix this issue?

Answer 1

You have to overwrite the certificate checks so that they will always be considered good. That won't prevent the channel to remain SSL protected.

Uri target = new Uri("ftp://yourUri");
string fileName = @"fullPathOfYourFile";
FtpWebRequest request = (FtpWebRequest)WebRequest.Create(target);
request.Method = WebRequestMethods.Ftp.UploadFile;
request.Credentials = new NetworkCredential("user", "password");
request.EnableSsl = true;

//overwrite the certificate checks
ServicePointManager.ServerCertificateValidationCallback = 
                      (s, certificate, chain, sslPolicyErrors) => true;

// Copy the contents of the file to the request stream
//....

Answer 2

The most voted answer by @Luca blindly accepts any certificate. That's a security flaw.

When implementing ServicePointManager.ServerCertificateValidation callback one should validate the certificate. E.g. by checking certificate's hash against a known value:

using System.Net;
using System.Net.Security;
using System.Security.Cryptography;

ServicePointManager.ServerCertificateValidationCallback +=
    (sender, certificate, chain, errors) =>
    {
        return
            (errors == SslPolicyErrors.None) ||
            certificate.GetCertHashString(HashAlgorithmName.SHA256).Equals(
                "EB8E0B28AE064ED58CBED9DAEB46CFEB3BD7ECA677...");
    };

For the X509Certificate.GetCertHashString overload that takes HashAlgorithmName.SHA256, you need .NET 4.8. On older versions use the parameter-less overload that returns an SHA-1 hash.

---

Based on Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

For VB.NET version of the code, see Accept self-signed TLS/SSL certificate in VB.NET.

Answer 3

You also get this error if you try to connect to IP address instead of domain name. Since certificate is issued to the domain name, IP address wont work.

Answer 4

I had the same issue via .NET and the certificate root and chain was trusted by my account and even the local machine account. So the cert was golden.

For me, I was using the wrong hostname. I was using a fully qualified name (and was getting to the correct place), but the cert was actually issued to a different alias. So make sure your server name matches exactly what's on the certificate.

Check this article, that's how I found the answer... Maybe the event subscription is what you need too...

http://www.limilabs.com/blog/the-remote-certificate-is-invalid-according-to-the-validation-procedure