Share via

SharePoint 2016 Workflow error: The Remote Certificate is Invalid

  • Article

In a fresh SharePoint 2016 RTM farm with Workflow Manager 1.1 installed, when trying to publish SharePoint 2013 designer workflow we get the following error: “The remote certificate is invalid according to the validation procedure.” in ULS logs as well as in the UI.

01/18/2016 16:25:17.53    w3wp.exe (kfsp:0x3764)    0x5758    SharePoint 
Server    Workflow Services    ahwae    Medium    Error publishing workflow 
definition (ItemUpdating) information: System.Net.WebException: The underlying 
connection was closed: Could not establish trust relationship for the SSL/TLS 
secure channel. ---> System.Security.Authentication.AuthenticationException: 
The remote certificate is invalid according to the validation procedure.     at 
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)     at 
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)     --- End of 
inner exception stack trace ---     at 
Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)     
at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult 
result)     at 
Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T 
content)     at 
Microsoft.Workflow.Client.WorkflowManagementClient.SendRequest[T](HttpWebRequest 
request, T content)     at 
Microsoft.Workflow.Client.ScopeManager.PublishScopeInternal(ScopeDescription 
description, String[] pathSegments)     at 
Microsoft.Workflow.Client.ScopeManager.PublishChildScope(String childScopeName, 
ScopeDescription description)     at 
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateServiceGroup(String 
scopeAddress, ScopeDescription serviceGroup)     at 
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateOrUpdateServiceGroup(SPWeb 
lookupWeb, SPAppPrincipal app)     at 
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.<SetupApplicationEcosystem>b__3()     
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated 
secureCode)     at 
Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback 
secureCode, Object param)     at 
Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated 
secureCode)     at 
Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.SetupApplicationEcosystem()     
at 
Microsoft.SharePoint.WorkflowServices.FabricWorkflowDeploymentProvider.PublishDefinition(WorkflowDefinition 
workflowDefinition)     at 
Microsoft.SharePoint.WorkflowServices.WorkflowDefinitionStorageEventReceiver.PublishDefinition(SPItemEventProperties 
properties)   

Root cause:

We use the auto-generated certificate for the Workflow Manager during the configurations. Due to this we have a broken chain to the root certificate. The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.

Resolution:

Easy fix for this issue, simply build a trust between Workflow Manager and SharePoint 2016. For that you have to export the Workflow Manager certs from WFM server and upload into SharePoint 2016. Please follow the steps below.

Export Certificate from Workflow Manager Server

  • Login on the sever with farm credentials
  • Open ** IIS Manager > Sites > right-click on Workflow Management Site**, and then choose Edit Bindings.
  • On this pop-up, select HTTPS port 12290, and then choose Edit.
  • On this pop-up, click the View button in the SSL Certificate section.
  • On this Certificate Window, click on the Details tab.
  • On the Details tab, choose Copy to file Certificate.
  • On this wizard
    • Click Next
    • Choose No, do not export the private key
    • Choose DER encoded binary X.509 (.CER)
    • Select the Path where you want to store the Cert and Give the Name (we give WFcert.cer)
    • Click Finish
    • You will get the Export Successful message
  • Now you have the WFcert.cer

Note: In this case we used the Auto-Generated Cert so it's the only cert in the Chain. But if you are using the SSL certs then you have to export all certificates in the path.

Import Certificate to SharePoint 2016 Central Admin

  • Copy the certificate from WFM server to SharePoint central admin server.
  • Login with farm administrator account
  • In SharePoint Central Administration site > Security > General Security > Manage Trust
  • On this page click New
  • On this page upload the certificates to SharePoint.
    • Give a friendly name
    • Path of the certificate store
    • Click OK.
  • You will have to repeat above steps for every cert in the chain.

Import Certificate to SharePoint PowerShell

  • Login with Farm administrator credential on the SharePoint server
  • Launch the SharePoint PowerShell window
  • Run the below PowerShell.
$trustCert = Get-PfxCertificate "F:\WFcert.cer"
New-SPTrustedRootAuthority WFTrust -Certificate $trustCert