Error with Payware Connect - The remote certificate is invalid according to the validation procedure
Q - We started getting the following error on certain workstations yesterday when trying to pre-authorize a credit card with Payware Connect. Originally it was on the remote server, where some users worked and some didn't. We rebooted that server last night but some users are still having issues. We also had a local user here who started having the same issue this morning. I have attached a sample of the error in the XML2PWC.LOG file (in M:\Elliott7\LOG\01 folder):
2017/12/13 11:55:50.207 Connect : https://prod1.ipcharge.net/ipchapi/rh.aspx
2017/12/13 11:55:50.207 Request : <TRANSACTION><FUNCTION_TYPE>PAYMENT</FUNCTION_TYPE><PAYMENT_TYPE>CREDIT</PAYMENT_TYPE><COMMAND>PRE_AUTH</COMMAND><USER_ID>********</USER_ID><USER_PW>********</USER_PW><CLIENT_ID>************</CLIENT_ID><MERCHANTKEY>*****************</MERCHANTKEY><TRANS_AMOUNT>107.47</TRANS_AMOUNT><CARDHOLDER>************</CARDHOLDER><INVOICE>405205</INVOICE><TICKET_NUM>405205</TICKET_NUM><ACCT_NUM>430023*******3657</ACCT_NUM><EXP_MONTH>**</EXP_MONTH><EXP_YEAR>**</EXP_YEAR><CVV2>***</CVV2><CUSTOMER_STREET>********</CUSTOMER_STREET><CUSTOMER_ZIP>*****</CUSTOMER_ZIP></TRANSACTION>
2017/12/13 11:55:51.488 Error : System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at El7Net.EL8PWPNT.SendXMLToPWC(String _XMLString, String url) in G:\NSI.SRC\nw81\EL8PWPNT\ELPWCPNT\EL8PWPNT.vb:line 1685
A - As far as I can see, some of your workstations failed to use secure communication (SSL/TLS) with Payware Connect servers. Payware Connect requires TLS 1.2 to function. The message says “The remote certificate is invalid according to the validation procedure.” That seems to indicate there is a certificate issue. From the workstation that has problem, use IE to connect to https://prod1.ipcharge.net/ipchapi/rh.aspx. You should see a response “Bad Request." Then you can click on the “lock” icon on the toolbar to show the certificates. See sample screen below:
From there, refer to the instructions of the following article for more details:
https://blogs.msdn.microsoft.com/jpsanders/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure/As a comparison, it will also be helpful to perform the same procedure from a workstation that does not have this problem.
Follow-Up on this Incident
As a follow-up to this support incident, the user who had this error provided the following information to confirm how the problem was solved. This may not be the same issue for you if you should encouter a certificate error. We are providing it here simply as an example:
So apparently this was a firewall setting issue. I have a list of websites that are in an SSL Exemption area on our Barracuda Firewall. Ipcharge.net and ipcharge2.net were in the listing since the firewall was put into place last year. I recently removed them when troubleshooting an issue with ipcharge.com with an inhouse client, thinking that they updated their URL and .net was no longer needed. I have since reapplied those two to the SSL Exemption area and all seems to be well in the world.
The SSL Exemption area of the firewall allows the true SSL cert to be passed on directly to the client making the call. We have SSL inspection enabled on our firewall, which basically replaces the SSL cert with a Barracuda SSL cert so we can inspect those encrypted packets. Certain websites hate that and I have to add them to the exemption list. So long story short, oops it was my fault.
EMK