Owin Twitter login - the remote certificate is invalid according to the validation procedure

Question

I started getting this error recently when trying to login using twitter- any idea why?

Stack Trace: 


[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
   System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +230
   System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +13
   System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +123

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
   System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +6432446
   System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64

No Idea, but I am also getting it as of yesterday. Have even tried creating a new MVC5 project, adding twitter Key's and even that fails. — MichaelLake, Jul 29 '14 at 10:59
Have you tried Googling those error messages? I see a number of asp.net-related pages that talk about both errors. — Caleb, Aug 26 '14 at 13:50

score 96 · Accepted Answer · edited Jan 19 '16 at 19:07

96

Thanks to the power of open source we can see that the thumbprints for the twitter certificates have been coded in the Katana Project.

Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions

Recently some certificates must have changed and now the thumbprints no longer match.

Please add a new thumb print for the "VeriSign Class 3 Public Primary Certification Authority - G5" Certificate to your Twitter Auth Options in your Startup.Auth.cs (for MVC users).

Change from the default:

app.UseTwitterAuthentication(
    consumerKey: "XXXX",
    consumerSecret: "XXX"
);

Use this:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA
    })
});

edited Jan 19 '16 at 19:07

Quiver

1,351
6
33
56

answered Jul 29 '14 at 12:03

MichaelLake

1,735
14
17

6

Had to change "CertValidator" to "CertificateThumbprintValidator" and add 39A55D933676616E73A761DFA16A7E59CDE66FAD - Symantec Class 3 Secure Server CA - G4 - now I can get back to what I was supposed to be doing! – Breandán Jul 29 '14 at 12:25
1

Yes thanks for that... I had created my own certificate validator to identify the issue. Ill update the post. – MichaelLake Jul 29 '14 at 13:05
Is this only happening on the Owin package? – user441365 Jul 29 '14 at 13:22
Where did you find those subject key identifiers for the VeriSign/Symantec CAs? Where specifically in the Katana Project? – Alexandru Aug 01 '14 at 01:38
1

Happening again - had to add 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5 - VeriSign Class 3 Primary CA - G5 Anyone know if this can also be fixed by installing the VeriSign root certs on the web server https://www.symantec.com/page.jsp?id=roots – Breandán Aug 06 '14 at 14:25
This starting happening to me with a new project. Seems to be another certificate update to api.twitter.com. I was able to add b77ddb6867d3b325e01c90793413e15bf0e44df2 to the list. Found this by using fiddler to see that my computer was requesting auth from api.twitter.com. Then browsed to it in my browser, looked at the SSL certificate details, and snagged the Subject Key Identifier from that certificate. Seems to be working after I added that, breaks when I take away. – MinneapolChris Sep 01 '15 at 00:21
10

And happening again, I'm seeing digicert. "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C‎A "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA – Kenneth Ito Sep 22 '15 at 02:38
@KennethIto, yep I'm getting that error too. I've added the keys you provided (after double checking them against the certs from the Digicert site) and they work great thanks. – Sep 22 '15 at 10:02
I think the Symantec and Verisign values are outdated and no longer necessary. Viewing the certificate detail by going to https://api.twitter.com and shows that it is a DigiCert certificate. As long as you have either an Authority Key Id or a Subject Key Id, it should work. – kimbaudi Oct 12 '16 at 06:14
Wishful pull request to source added: https://katanaproject.codeplex.com/SourceControl/network/forks/OzBobWA/TwitterCertUpdated/changeset/fad97eaad931f7efed0516111e5b3e7011214e4b – OzBob Feb 09 '17 at 09:15
2

Note the certs have been removed from Katana 3.1 so this won't keep breaking in the future. – Tratcher Apr 11 '17 at 15:34
1

In case anyone reading this is still using the above solution, it looks like the certs have changed again. Add "b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4" to the above array of subject key identifiers (or update Microsoft.Owin.Security.Twitter) – tbraun Feb 17 '21 at 20:55

score 87 · Answer 2 · edited Jan 08 '16 at 22:04

87

To sum up and save people digging through the comments, here the latest config:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new Microsoft.Owin.Security.CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "‎add53f6680fe66e383cbac3e60922e3b4c412bed", // Symantec Class 3 EV SSL CA - G3
        "4eb6d578499b1ccf5f581ead56be3d9b6744a5e5", // VeriSign Class 3 Primary CA - G5
        "5168FF90AF0207753CCCD9656462A212B859723B", // DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" // DigiCert High Assurance EV Root CA
    })
});

All credits to @MichaelLake and @KennethIto.

edited Jan 08 '16 at 22:04

TaeKwonJoe

1,077
11
24

answered Sep 23 '15 at 03:41

webStuff

1,468
14
22

3

And SO comes to this lazy dev's help again! – paz Sep 25 '15 at 15:49
7

Does anyone know if Twitter announce when they are about to change thumbprints? Or will we always have to wait for it to break? – Nick Sep 27 '15 at 18:36
Works locally but not on server...any ideas? – Chirdeep Tomar Oct 01 '15 at 08:51
1

I'm getting Response status code does not indicate success: 401 (Authorization Required). after I add the Back channels – Brian Oct 23 '15 at 21:04
Looks like they've changed again and you need to add "‎add53f6680fe66e383cbac3e60922e3b4c412bed" // Symantec Class 3 EV SSL CA - G3 – Tim Oct 30 '15 at 18:21
1

I edited this answer to include Tim's find for Symantec Class 3 EV SSL CA - G3. – TaeKwonJoe Jan 08 '16 at 21:32
1

@Brian if you are getting a 401 make sure the twitter app settings have a Callback URL set. – Matt Jan 12 '16 at 02:21
@Brian - In order to solve 401 (unauthorized) error change Callback URL from */signin-twitter/ to */signin-twitter Without backslash at the end. – Sasa Tancev Mar 26 '16 at 14:27
2

I would love to learn how you guys are working out which certs need to be added? Im using Fiddler and enabled https decryption but i cant figure out how you find what certs are missing? – Computer Apr 09 '16 at 13:28
1

looks like this problem is happening again, someone has the new thumbprints? thanks – Guido Preite Jul 19 '16 at 19:18
I'm not getting an exception, but LinkedIn oauth has suddenly stopped working for me again. The callback url gets `error=access_denied` added to the end but otherwise everything looked okay. This line `var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();` ends up being `null`. How do you find these thumbprints so I can check if they might have changed again? – Matt Burland Aug 23 '18 at 14:23

score 6 · Answer 3 · answered Aug 28 '14 at 00:47

6

Turn off Fiddler.

Somehow Fiddler web debugger messes up the Oauth for Twitter.

answered Aug 28 '14 at 00:47

Matt

33,328
25
83
97

score 5 · Answer 4 · answered Oct 26 '14 at 17:23

5

For testing purposes only (!) it is also possible to set the

options.BackchannelCertificateValidator = null;

and add to your Global.asax Application_Start:

ServicePointManager.ServerCertificateValidationCallback = delegate 
{ 
    return true; 
};

answered Oct 26 '14 at 17:23

Martin Staufcik

8,295
4
44
63

score 3 · Answer 5 · answered Aug 10 '16 at 20:54

3

The DigiCert SHA2 High Assurance Server C‎A value of "5168FF90AF0207753CCCD9656462A212B859723B" doesn't seem to be valid. The new value is "01C3968ACDBD57AE7DFAFF9552311608CF23A9F9". It's valid from 6/28/2016 to 9/19/2019. I found it by going to https://api.twitter.com/ in Chrome, then clicking on the padlock in the address bar to view the certificate.

answered Aug 10 '16 at 20:54

Jon B

31
2

1

Viewing the certificate details on chrome shows that 5168FF90AF0207753CCCD9656462A212B859723B is the Authority Key Identifier (http://imgur.com/5xL7iV5) and 01C3968ACDBD57AE7DFAFF9552311608CF23A9F9 is the Subject Key Identifier (http://imgur.com/R1FeAF0). I'm not sure why you think that 5168FF90AF0207753CCCD9656462A212B859723B isn't valid – kimbaudi Oct 12 '16 at 05:54
1

I took another look at the certificate and you're correct that api.twitter.com has a newer Subject Key Identifier with value 01C3968ACDBD57AE7DFAFF9552311608CF23A9F9 (http://imgur.com/J9HaFoO) – kimbaudi Oct 12 '16 at 06:09

score 0 · Answer 6 · answered Dec 16 '15 at 03:15

0

I had this exact problem I followed the post above and I got the 401 (unauthorized) error mentioned in another comment.

I went to my Twitter dev account and unchecked a box titled: "Enable Callback Locking". Clicked save, hit F5 and it worked.

So the above code worked for me. If you get a 401 double check your Twitter account for the checkbox.

answered Dec 16 '15 at 03:15

RoadRunner

31
3

1

In order to solve 401 (unauthorized) error change Callback URL from */signin-twitter/ to */signin-twitter Without backslash at the end – Sasa Tancev Mar 26 '16 at 14:26

score 0 · Answer 7 · answered Jul 25 '17 at 10:52

0

For me, just updating Microsoft.Owin.Security.Twitter to version 3.1.0 fixed it, even without adding the thumbprints!

answered Jul 25 '17 at 10:52

Syed Waqas

2,576
4
29
36

score 0 · Answer 8 · answered Jan 25 '19 at 23:34

0

I had the same issue, and I have updated the callback URL in my Twitter App.

Adding the default URL https://mywebsite/signin-twitter

answered Jan 25 '19 at 23:34

Moiyd

55
2
7

Owin Twitter login - the remote certificate is invalid according to the validation procedure

8 Answers8

Linked

Related