"The Remote Certificate Is Invalid According to the Validation Procedure." Using Gmail Smtp Server

The remote certificate is invalid according to the validation procedure. using Gmail SMTP server

Warning: Do not use this in production code!

As a workaround, you can switch off certificate validation. Only ever do this to obtain confirmation that the error is being thrown because of a bad certificate.

Call this method before you call smtpclient.Send():

[Obsolete("Do not use this in Production code!!!",true)]
static void NEVER_EAT_POISON_Disable_CertificateValidation()
{
    // Disabling certificate validation can expose you to a man-in-the-middle attack
    // which may allow your encrypted message to be read by an attacker
    // https://stackoverflow.com/a/14907718/740639
    ServicePointManager.ServerCertificateValidationCallback =
        delegate (
            object s,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors
        ) {
            return true;
        };
}

Unexpected The remote certificate is invalid according to the validation procedure.

The server is probably enabling TLS as part of SMTP. This is pretty common, it's the STARTTLS verb.

If this works on other Windows boxes, are you in an AD? If so there's probably a CA on the AD issuing certificates which are automatically trusted via Group Policy. So you need to configure OpenSSL on your Ubuntu machine to trust that CA too.

Or you could just say fuck it, and tell StmpClient to ignore security with

client.EnableSsl = true;

How to fix Remote certificate is invalid according to the validation procedure

To be fair, the underlying problem should be checked/corrected.

You can control how MailKit does the server certificate validation using a ServerCertificateValidationCallback

For debugging purposes you could return true; in the callback function.

Code from the MailKit documentation:

using (var client = new MailKit.Net.Smtp.SmtpClient())
{
    // Set our custom SSL certificate validation callback.
    client.ServerCertificateValidationCallback = MySslCertificateValidationCallback;

    client.Timeout = 30000;
    client.Connect("servername", 587, true);
    client.Authenticate("Username", "password");
    client.Send(message);
    client.Disconnect(true);
}

    static bool MySslCertificateValidationCallback (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        // If there are no errors, then everything went smoothly.
        if (sslPolicyErrors == SslPolicyErrors.None)
            return true;

        // Note: MailKit will always pass the host name string as the `sender` argument.
        var host = (string) sender;

        if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) != 0) {
            // This means that the remote certificate is unavailable. Notify the user and return false.
            Console.WriteLine ("The SSL certificate was not available for {0}", host);
            return false;
        }

        if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0) {
            // This means that the server's SSL certificate did not match the host name that we are trying to connect to.
            var certificate2 = certificate as X509Certificate2;
            var cn = certificate2 != null ? certificate2.GetNameInfo (X509NameType.SimpleName, false) : certificate.Subject;

            Console.WriteLine ("The Common Name for the SSL certificate did not match {0}. Instead, it was {1}.", host, cn);
            return false;
        }

        // The only other errors left are chain errors.
        Console.WriteLine ("The SSL certificate for the server could not be validated for the following reasons:");

        // The first element's certificate will be the server's SSL certificate (and will match the `certificate` argument)
        // while the last element in the chain will typically either be the Root Certificate Authority's certificate -or- it
        // will be a non-authoritative self-signed certificate that the server admin created. 
        foreach (var element in chain.ChainElements) {
            // Each element in the chain will have its own status list. If the status list is empty, it means that the
            // certificate itself did not contain any errors.
            if (element.ChainElementStatus.Length == 0)
                continue;

            Console.WriteLine ("\u2022 {0}", element.Certificate.Subject);
            foreach (var error in element.ChainElementStatus) {
                // `error.StatusInformation` contains a human-readable error string while `error.Status` is the corresponding enum value.
                Console.WriteLine ("\t\u2022 {0}", error.StatusInformation);
            }
        }

        return false;
    }

Getting The remote certificate is invalid according to the validation procedure when SMTP server has a valid certificate

The answer I have finally found is that the SMTP service on the server is not using the same certificate as https.

The diagnostic steps I had read here make the assumption they use the same certificate and every time I've tried this in the past they have done and the diagnostic steps are exactly what I've done to solve the problem several times.

In this case those steps didn't work because the certificates in use were different, and the possibility of this is something I had never come across.

The solution is either to export the actual certificate from the server and then install it as a trusted certificate on my machine, or to get a different valid/trusted certificate for the SMTP service on the server. That is currently with our IT department who administer the servers to decide which they want to do.

C# The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

Primary problem with RemoteCertificateNameMismatch error is because of subject mismatch between subject specified in remote certificate and address you are connecting to. I suspect that remote certificate is issued against some DNS name, but you are connecting to IP address which apparently isn't specified in certificate subject/SAN extension. You need to ensure that remote certificate's SAN extension contains the address you are connecting to.

There is insufficient information to debug RemoteCertificateChainErrors error. You need to attach a debugger and retrieve exact errors.

The remote certificate is invalid according to the validation procedure

This usually occurs because either of the following are true:

• The certificate is self-signed and not added as a trusted certificate.
• The certificate is expired.
• The certificate is signed by a root certificate that's not installed on your machine.
• The certificate is signed using the fully qualified domain address of the server. Meaning: cannot use "xyzServerName" but instead must use "xyzServerName.ad.state.fl.us" because that's basically the server name as far as the SSL cert is concerned.
• A revocation list is probed, but cannot be found/used.
• The certificate is signed via intermediate CA certificate and server does not serve that intermediate certificate along with host certificate.

Try getting some information about the certificate of the server and see if you need to install any specific certs on your client to get it to work.

SMTP - SSL Certificate Issue - C# - Why this code works?

The following code is telling your application to trust all certificates, even if they are not valid.

It is best not to do this.

private bool RemoteServerCertificateValidationCallback(object sender,
System.Security.Cryptography.X509Certificates.X509Certificate
certificate, System.Security.Cryptography.X509Certificates.X509Chain
chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) {
    //Console.WriteLine(certificate);
    return true; }

---

Related Topics