Error while contacting partition service,The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

News Knowledge Base
,
1

After certificate renewal users facing below error.

Generic error on user interface: Error while contacting partition service

Error:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

ā€”> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

at void System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)

at async Task System.Net.Security.SslStream.ForceAuthenticationAsync(bool receiveFirst, byte reAuthenticationData, CancellationToken cancellationToken)

Issue Description

After renewing the certificate, users are encountering the following error:

Generic Error on User Interface:

"Error while contacting partition service"

Error Details:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

at void System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)

at async Task System.Net.Security.SslStream.ForceAuthenticationAsync(bool receiveFirst, byte[] reAuthenticationData, CancellationToken cancellationToken)

Root Cause

The error indicates that the certificate is invalid due to an incorrect date or time setting.

Resolution

Validations:

  1. Verify that all settings were updated correctly for the certificate change as per the relevant documentation.
  2. If all settings have been validated and the issue persists, the problem could be that the registry is still referencing the old certificate thumbprint.

Check ApplicationHost.config:

  • Validate the applicationHost.config file located at C:\Windows\System32\inetsrv\config\applicationHost.config to ensure that the bindings parameter is pointing to the new thumbprint.
  • If it references the old thumbprint, update the binding.


Check Registry for Binding:

  • If the issue is not resolved, check the registry to find the current binding associated with the thumbprint:

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

  • The binding 0.0.0.0:443 should point to the new thumbprint. If the issue persists, and if the customer is using IPv6 traffic, validate the [::]:443 binding in the same registry path and check if it is still pointing to the old thumbprint.

Note: Since the thumbprint cannot be updated directly in the registry, follow the steps below.

Solution for IPv6 NotTimeValid Binding :

  • In IIS, create a new or update the existing IPv6 binding with the [::] address on port 443, and point it to the new certificate.

  • After making this change, the registry should be updated, and IPv6 traffic will accept the new certificate, allowing the site to load correctly.