Owin Twitter login - the remote certificate is invalid according to the validation procedure

.Netasp.net MvcTwitterTwitter OauthOwin

.Net Problem Overview

I started getting this error recently when trying to login using twitter- any idea why?

Stack Trace: 


[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
   System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +230
   System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +13
   System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +123

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
   System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +6432446
   System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64

.Net Solutions

Solution 1 - .Net

Thanks to the power of open source we can see that the thumbprints for the twitter certificates have been coded in the Katana Project.

Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions

Recently some certificates must have changed and now the thumbprints no longer match.

Please add a new thumb print for the "VeriSign Class 3 Public Primary Certification Authority - G5" Certificate to your Twitter Auth Options in your Startup.Auth.cs (for MVC users).

Change from the default:

app.UseTwitterAuthentication(
    consumerKey: "XXXX",
    consumerSecret: "XXX"
);

Use this:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA
    })
});

Solution 2 - .Net

To sum up and save people digging through the comments, here the latest config:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new Microsoft.Owin.Security.CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "‎add53f6680fe66e383cbac3e60922e3b4c412bed", // Symantec Class 3 EV SSL CA - G3
        "4eb6d578499b1ccf5f581ead56be3d9b6744a5e5", // VeriSign Class 3 Primary CA - G5
        "5168FF90AF0207753CCCD9656462A212B859723B", // DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" // DigiCert High Assurance EV Root CA
    })
});

All credits to @MichaelLake and @KennethIto.

Solution 3 - .Net

Turn off Fiddler.

Somehow Fiddler web debugger messes up the Oauth for Twitter.

Solution 4 - .Net

For testing purposes only (!) it is also possible to set the

options.BackchannelCertificateValidator = null;

and add to your Global.asax Application_Start:

ServicePointManager.ServerCertificateValidationCallback = delegate 
{ 
    return true; 
};

Solution 5 - .Net

The DigiCert SHA2 High Assurance Server C‎A value of "5168FF90AF0207753CCCD9656462A212B859723B" doesn't seem to be valid. The new value is "01C3968ACDBD57AE7DFAFF9552311608CF23A9F9". It's valid from 6/28/2016 to 9/19/2019. I found it by going to https://api.twitter.com/ in Chrome, then clicking on the padlock in the address bar to view the certificate.

Solution 6 - .Net

I had this exact problem I followed the post above and I got the 401 (unauthorized) error mentioned in another comment.

I went to my Twitter dev account and unchecked a box titled: "Enable Callback Locking". Clicked save, hit F5 and it worked.

So the above code worked for me. If you get a 401 double check your Twitter account for the checkbox.

Solution 7 - .Net

For me, just updating Microsoft.Owin.Security.Twitter to version 3.1.0 fixed it, even without adding the thumbprints!

Solution 8 - .Net

I had the same issue, and I have updated the callback URL in my Twitter App.

Adding the default URL https://mywebsite/signin-twitter

Categories
Recommended .Net Solutions
Recommended asp.net Mvc Solutions
Recommended Twitter Solutions
Recommended Owin Solutions

Previous Solution:

Is (x - x) always positive zero for doubles, or sometimes negative zero?

JavaFloating Point

Next Solution:

Adding underline to UILabel attributed string from the storyboard fails

IosObjective CUilabelNsattributedstring

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
Questionuser441365View Question on Stackoverflow
Solution 1 - .NetMichaelLakeView Answer on Stackoverflow
Solution 2 - .NetwebStuffView Answer on Stackoverflow
Solution 3 - .NetMattView Answer on Stackoverflow
Solution 4 - .NetMartin StaufcikView Answer on Stackoverflow
Solution 5 - .NetJon BView Answer on Stackoverflow
Solution 6 - .NetRoadRunnerView Answer on Stackoverflow
Solution 7 - .NetSyed WaqasView Answer on Stackoverflow
Solution 8 - .NetMoiydView Answer on Stackoverflow