LetsEncrypt SSL Cert produces: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

[paul-kiar]

Steps to Reproduce

1. Have a certificate with 2 verification paths as explained here

2. Register that certificate on a webserver

3. Create an HttpWebRequest to with the webserver URL from step 2

        HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(address);
        request.Accept = "application/json";
        request.Method = "GET";
        using var response = await request.GetResponseAsync().ConfigureAwait(false); // throws exception
   

This only happens with LetsEncrypt certificates that were signed with the expired certificate DST Root CA X3. Our SSL certificate was issued in August 2021 with the dual signature.
It is not an issue for Apple iOS or iPadOS

Chrome has an issue with the certificate on older devices, but not on recent devices
Viewing the certificate in windows browsers showed the valid path
Viewing the certificate on old emulators showed the invalid path and failed to be trusted
On devices that chrome showed the certificate as valid, Xamarin Android app still failed to trust the certificate
Certificate worked until September 29th when the DST Root CA X3 certificate expired

Work Around: Renewing the certificate with LetsEncrypt Acme after Sept 30th 2021 fixed the problem

Expected Behavior

SSL Works, web request succeeds

Actual Behavior

Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

Version Information

Microsoft Visual Studio Enterprise 2019
Version 16.11.2
VisualStudio.16.Release/16.11.2+31624.102
Microsoft .NET Framework
Version 4.8.04084

Installed Version: Enterprise

Visual C++ 2019 00435-60000-00000-AA537
Microsoft Visual C++ 2019

ADL Tools Service Provider 1.0
This package contains services used by Data Lake tools

ASA Service Provider 1.0

ASP.NET and Web Tools 2019 16.11.75.64347
ASP.NET and Web Tools 2019

ASP.NET Web Frameworks and Tools 2019 16.11.75.64347
For additional information, visit https://www.asp.net/

Azure App Service Tools v3.0.0 16.11.75.64347
Azure App Service Tools v3.0.0

Azure Data Lake Node 1.0
This package contains the Data Lake integration nodes for Server Explorer.

Azure Data Lake Tools for Visual Studio 2.6.1000.0
Microsoft Azure Data Lake Tools for Visual Studio

Azure Functions and Web Jobs Tools 16.11.75.64347
Azure Functions and Web Jobs Tools

Azure Stream Analytics Tools for Visual Studio 2.6.1000.0
Microsoft Azure Stream Analytics Tools for Visual Studio

C# Tools 3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools 1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

Extensibility Message Bus 1.2.6 (master@34d6af2)
Provides common messaging-based MEF services for loosely coupled Visual Studio extension components communication and integration.

Fabric.DiagnosticEvents 1.0
Fabric Diagnostic Events

IntelliCode Extension 1.0
IntelliCode Visual Studio Extension Detailed Info

Microsoft Azure HDInsight Azure Node 2.6.1000.0
HDInsight Node under Azure Node

Microsoft Azure Hive Query Language Service 2.6.1000.0
Language service for Hive query

Microsoft Azure Service Fabric Tools for Visual Studio 16.10
Microsoft Azure Service Fabric Tools for Visual Studio

Microsoft Azure Stream Analytics Language Service 2.6.1000.0
Language service for Azure Stream Analytics

Microsoft Azure Stream Analytics Node 1.0
Azure Stream Analytics Node under Azure Node

Microsoft Azure Tools for Visual Studio 2.9
Support for Azure Cloud Services projects

Microsoft Continuous Delivery Tools for Visual Studio 0.4
Simplifying the configuration of Azure DevOps pipelines from within the Visual Studio IDE.

Microsoft JVM Debugger 1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft Library Manager 2.1.113+g422d40002e.RR
Install client-side libraries easily to any web project

Microsoft MI-Based Debugger 1.0
Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft Visual C++ Wizards 1.0
Microsoft Visual C++ Wizards

Microsoft Visual Studio Tools for Containers 1.2
Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.

Microsoft Visual Studio VC Package 1.0
Microsoft Visual Studio VC Package

Mono Debugging for Visual Studio 16.10.15 (552afdf)
Support for debugging Mono processes with Visual Studio.

NuGet Package Manager 5.11.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/

ProjectServicesPackage Extension 1.0
ProjectServicesPackage Visual Studio Extension Detailed Info

Razor (ASP.NET Core) 16.1.0.2122504+13c05c96ea6bdbe550bd88b0bf6cdddf8cde1725
Provides languages services for ASP.NET Core Razor.

Snapshot Debugging Extension 1.0
Snapshot Debugging Visual Studio Extension Detailed Info

SQL Server Data Tools 16.0.62107.28140
Microsoft SQL Server Data Tools

Test Adapter for Boost.Test 1.0
Enables Visual Studio's testing tools with unit tests written for Boost.Test. The use terms and Third Party Notices are available in the extension installation directory.

Test Adapter for Google Test 1.0
Enables Visual Studio's testing tools with unit tests written for Google Test. The use terms and Third Party Notices are available in the extension installation directory.

ToolWindowHostedEditor 1.0
Hosting json editor into a tool window

TypeScript Tools 16.0.30526.2002
TypeScript Tools for Microsoft Visual Studio

Visual Basic Tools 3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual F# Tools 16.11.0-beta.21322.6+488cc578cafcd261d90d748d8aaa7b8b091232dc
Microsoft Visual F# Tools

Visual Studio Code Debug Adapter Host Package 1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Container Tools Extensions 1.0
View, manage, and diagnose containers within Visual Studio.

Visual Studio Tools for CMake 1.0
Visual Studio Tools for CMake

Visual Studio Tools for Containers 1.0
Visual Studio Tools for Containers

Visual Studio Tools for Kubernetes 1.0
Visual Studio Tools for Kubernetes

VisualStudio.DeviceLog 1.0
Information about my package

VisualStudio.Foo 1.0
Information about my package

VisualStudio.Mac 1.0
Mac Extension for Visual Studio

Xamarin 16.11.000.174 (d16-11@e8f56f1)
Visual Studio extension to enable development for Xamarin.iOS and Xamarin.Android.

Xamarin Designer 16.11.0.17 (remotes/origin/11e0001f0b17269345e80b58fb3adf1ba4efe2cd@11e0001f0)
Visual Studio extension to enable Xamarin Designer tools in Visual Studio.

Xamarin Templates 16.10.5 (355b57a)
Templates for building iOS, Android, and Windows apps with Xamarin and Xamarin.Forms.

Xamarin.Android SDK 11.4.0.5 (d16-11/7776c9f)
Xamarin.Android Reference Assemblies and MSBuild support.
Mono: c633fe9
Java.Interop: xamarin/java.interop/d16-11@48766c0
ProGuard: Guardsquare/proguard@912d149
SQLite: xamarin/sqlite@85460d3
Xamarin.Android Tools: xamarin/xamarin-android-tools/d16-11@683f375

Xamarin.iOS and Xamarin.Mac SDK 14.20.0.25 (3b53e529b)
Xamarin.iOS and Xamarin.Mac Reference Assemblies and MSBuild support.

Log File

[angelru]

The same issue, some solution

[derekcroprecords]

Same issue, but renewing the certificate with LetsEncrypt Acme did not fix the problem

[derekcroprecords]

Workaround that worked for us was to edit the certs fullchain.pem from winacme and manually remove the last certification.

The one that says
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:0 = Digital Signature Trust Co., CN = DST Root CA X3

[SeanMollet]

@derekcroprecords YOU ARE MY HERO. This is definitely the easiest/best answer for this. If you're ever near KC in the US, let me know, I'll buy you several rounds of beers.

[derekcroprecords]

@derekcroprecords YOU ARE MY HERO. This is definitely the easiest/best answer for this. If you're ever near KC in the US, let me know, I'll buy you several rounds of beers.

Glad to help. That was rough day. That cert caused us a lot of problems. AWS lambda functions failed. Xamarin Android. Python on Raspberry Pi.

If anyone is still having problems there is a lot of information over on LetsEncrypts community forums.
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/449

[daltonks]

I'm running into the same issue with LetsEncrypt on my Samsung Galaxy S20+. I refreshed my certificate and updated cert-manager, but I can't connect using SignalR. ☹️
HttpClient requests work though.

LetsEncrypt's "ISRG Root X1" root certificate has the issue.

Microsoft.AspNetCore.Http.Connections.Client.HttpConnection: Error: Failed to start connection. Error getting negotiation response from 'https://scribblebuddies.app/hub'.

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310 
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x0007b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:165 
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000f6] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:176 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x002d8] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:408 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:543 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0003f] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:284 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00070] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs:32 
  at Microsoft.AspNetCore.Http.Connections.Client.Internal.AccessTokenHttpMessageHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ff] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.Internal.LoggingHttpMessageHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00095] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x000b3] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/HttpClient.cs:531 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.NegotiateAsync (System.Uri url, System.Net.Http.HttpClient httpClient, Microsoft.Extensions.Logging.ILogger logger, System.Threading.CancellationToken cancellationToken) [0x0014a] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
[0:] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310 
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x0007b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:165 
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000f6] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:176 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x002d8] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:408 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:543 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0003f] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:284 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00070] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs:32 
  at Microsoft.AspNetCore.Http.Connections.Client.Internal.AccessTokenHttpMessageHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ff] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.Internal.LoggingHttpMessageHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00095] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x000b3] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/HttpClient.cs:531 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.NegotiateAsync (System.Uri url, System.Net.Http.HttpClient httpClient, Microsoft.Extensions.Logging.ILogger logger, System.Threading.CancellationToken cancellationToken) [0x00257] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.GetNegotiationResponseAsync (System.Uri uri, System.Threading.CancellationToken cancellationToken) [0x00080] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.SelectAndStartTransport (Microsoft.AspNetCore.Connections.TransferFormat transferFormat, System.Threading.CancellationToken cancellationToken) [0x00180] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.StartAsyncCore (Microsoft.AspNetCore.Connections.TransferFormat transferFormat, System.Threading.CancellationToken cancellationToken) [0x0011e] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at System.Threading.Tasks.ForceAsyncAwaiter.GetResult () [0x0000c] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnection.StartAsync (Microsoft.AspNetCore.Connections.TransferFormat transferFormat, System.Threading.CancellationToken cancellationToken) [0x00091] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnectionFactory.ConnectAsync (System.Net.EndPoint endPoint, System.Threading.CancellationToken cancellationToken) [0x00114] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at Microsoft.AspNetCore.Http.Connections.Client.HttpConnectionFactory.ConnectAsync (System.Net.EndPoint endPoint, System.Threading.CancellationToken cancellationToken) [0x001bf] in <234f60ad06d047e7b24d4168aa9bb2c7>:0 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at Microsoft.AspNetCore.SignalR.Client.HubConnection.StartAsyncCore (System.Threading.CancellationToken cancellationToken) [0x000a5] in <155e5a84392943dea24ca8776c95247e>:0 
  at Microsoft.AspNetCore.SignalR.Client.HubConnection.StartAsyncInner (System.Threading.CancellationToken cancellationToken) [0x0019e] in <155e5a84392943dea24ca8776c95247e>:0 
  at System.Threading.Tasks.ForceAsyncAwaiter.GetResult () [0x0000c] in <155e5a84392943dea24ca8776c95247e>:0 
  at Microsoft.AspNetCore.SignalR.Client.HubConnection.StartAsync (System.Threading.CancellationToken cancellationToken) [0x00091] in <155e5a84392943dea24ca8776c95247e>:0 
  at Scribble.ApiRealtime.ApiRealtimeClient.<StartNewConnection>b__26_0 () [0x00170] in C:\Users\Dalton\source\repos\Scribble\Scribble\Scribble\ApiRealtime\ApiRealtimeClient.cs:170 
  at SkiEngine.Util.TaskQueue+<>c__DisplayClass14_0.<QueueAsync>b__0 (System.Threading.Tasks.Task _) [0x00059] in C:\Users\Dalton\source\repos\Scribble\SkiEngine\SkiEngine\Util\TaskQueue.cs:74 

[vincentcastagna]

Just met the same issue while our certificates on our API was renewed. Forcing again a renewal of the certificate does not fix the issue. This impacts ALL builds.

Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132

at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223

Note : Using AndroidClientHandler solves the issue.

[angelru]

Workaround that worked for us was to edit the certs fullchain.pem from winacme and manually remove the last certification.

The one that says 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:0 = Digital Signature Trust Co., CN = DST Root CA X3

I do not understand much, do you have to put this?

[daltonks]

One workaround (with SignalR on Android) is to just stop using LetsEncrypt.
I bought SSL certs (unfortunately), plugged them into kubernetes nginx, and removed the LetsEncrypt config from my Ingress.

[uzairali001]

I'm was also having the same issue but after some research trials and errors I found out the solution well it's more like a workaround.
The root certificate of Let's encrypt is expired so just remove it from the yourcert-chain.prem.

• Open the file in any text editor
• Locate the last -----BEGIN CERTIFICATE----- at the end of the file
• Delete it from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
• Save and reload the nginx

[SpongeManiac]

I will give this a try. I instead manually disabled the expired CA on my android device and the API works again, however it is an annoying thing for every costumer to manually change their device when I could just remove the expired cert from the chain. Although I am just the C# monkey, cutting the root cert from a key chain doesn't sound optimal

[daltonks]

I've seen talk on the forums to use --preferred-chain "ISRG Root X1" if it makes sense for your devices.
I'm not going to test it (partly because I'm not sure where I should put this when using cert-manager), but maybe it helps someone else 😛

https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

[uzairali001]

I will give this a try. I instead manually disabled the expired CA on my android device and the API works again, however it is an annoying thing for every costumer to manually change their device when I could just remove the expired cert from the chain. Although I am just the C# monkey, cutting the root cert from a key chain doesn't sound optimal

For me I can't disturb customers as my App is an enterprise app for thousands of customers which they use daily to complete their tasks, because of this certificate issue my app was not even login and so many customers log their complain so I was in need of a quick solution but soon I will replace LE cert with comodo.

[delphikit]

I'm was also having the same issue but after some research trials and errors I found out the solution well it's more like a workaround. The root certificate of Let's encrypt is expired so just remove it from the yourcert-chain.prem.

• Open the file in any text editor
• Locate the last -----BEGIN CERTIFICATE----- at the end of the file
• Delete it from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
• Save and reload the nginx

This works great. Question: Will this be inserted again by Certbot when it renews the cert?

[daltonks]

This works great. Question: Will this be inserted again by Certbot when it renews the cert?

I'm pretty sure that's the case unless you change the config. --preferred-chain "ISRG Root X1" might be what you're looking for, but I haven't personally tested it.

[Roshek]

I've seen talk on the forums to use --preferred-chain "ISRG Root X1" if it makes sense for your devices. I'm not going to test it (partly because I'm not sure where I should put this when using cert-manager), but maybe it helps someone else 😛

https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

That method solved it for me. It's an option for the certbot cli which is used to get/renew let's encrypt certificates. We use a dockerized version of it to automatically renew our certs. The full command for renewal looks like this certbot renew --force-renewal --preferred-chain "ISRG Root X1". This will essentially result in a cert chain that is similar to the above "delete the old DST cert from the fullchain file" method.

[Naxilos]

There is a client-side workaround.

On the Android you can manualy disable the certificate "Digital Signature Trust Co. - DST Root CA X3".

• Go to "Settings > Security > Encryption & credentials" > Trusted credentials"
• Scroll down and disable "Digital Signature Trust Co. - DST Root CA X3"

In my case it works, but as I mentioned it's a workaround, not the solution.

[dimonovdd]

@jonathanpeppers @grendello Hi.
Do you have any ideas? Does this apply to Xamarin.Android or Mono?

[awatertrevi]

This seems to work for me: #4688 (comment)

[dimonovdd]

This seems to work for me: #4688 (comment)

How is it different from this property?

<AndroidHttpClientHandlerType>Xamarin.Android.Net.AndroidClientHandler</AndroidHttpClientHandlerType>

[jvreeker]

I have the same issues, I renewed the certificates with this option --preferred-chain "ISRG Root X1". Now everything seems to work again. Only I see devices with android version <=7 having issues.

Anyone an idea how to fix this?

[lukechinworth]

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1" worked for me.

[robertgoodwin00]

@canton7
That was very helpful, thanks!
Do you think there is any chance of an update to BoringSSL or whatever software is needed for xamarin that could obviate the need to address this? Since my team hasn't released on Android yet, "wait for someone else to resolve this" would be a more attractive option to us than any other, given that everything is working normally on the iOS side (which we are more focused on). I get that xamarin isn't at fault tho.

[canton7]

@robertgoodwin00 Xamarin is partially at fault I think -- they're the ones who bundled BoringSSL, apparently did some custom modifications (although I don't know the extent or whether they impacted this), and haven't updated it to fix this issue. I've no idea if they're planning to fix this properly, and I'm somewhat worried that we haven't heard anything at all from them.

[steveisok]

@canton7 This is something we are actively working on and trying to validate. Even if we didn't fork BoringSSL, we would still need to bump to the right version and make sure we didn't regress / negatively impact anyone.

[NoahSong]

I also faced the same issue after updating targetframework and xamarin form version. I got a hint from the solution making a customer HttpClientHandler for each platform and found that there is a way to config the HttpClient implementation for Xamarin.Android (Project Properties > Android Options > Advanced > HttpClient Implementation). I've changed this value from Default to Android, and everything worked well without any issue.

More details: https://docs.microsoft.com/en-us/xamarin/android/app-fundamentals/http-stack?tabs=windows

[tousif03raza]

I'm also facing the same issue, even after using the 'AndroidClientHandler' as HttpClient implementation and 'Native TLS 1.2+' as SSL/TLS implementation, it's not working for me.
I'm trying to load the image url from my backend server, but it's not working. Other sources are working fine & images are loading. I've used WebClient for downloading the image, then I found out that it's the issue of SSL.

[ivanrlg]

I am getting the same error, any update on this?

[shweta1915]

Any update on this issue?

[canton7]

No news from Microsoft: the last peep was 6 months ago. See this comment for workarounds.

[awesome1128]

I don't understand well, how you did.
I am working on ubuntu server, and trying to connect to remote ubuntu server via xamarin android code.
I deleted the last -----BEGIN CERTIFICATE----- at the end of the file from fullchain.pem file.
Also , I ran certbot renew --force-renewal --preferred-chain "ISRG Root X1" command as well.

Is that correct?

I have xamarin project, but I don't know well xamarin.
I am using visual studio 2019 and it's configured with remote server, but I keep getting "System.Exception: 'Something went wrong with cert validation" error.
I am spending much time to fix this problem, but no idea.

Please let me know your thoughts, thanks!

[gonzalorf]

There is a client-side workaround.

On the Android you can manualy disable the certificate "Digital Signature Trust Co. - DST Root CA X3".

• Go to "Settings > Security > Encryption & credentials" > Trusted credentials"
• Scroll down and disable "Digital Signature Trust Co. - DST Root CA X3"

In my case it works, but as I mentioned it's a workaround, not the solution.

Amazing!! It worked for me. How did you figure it out?

[microsoft-github-policy-service]

We suspect this issue is stale and no longer relevant. It will be closed if no further activity occurs within 14 more days. Any new comment (by anyone, not necessarily the author) will undo this process.

[microsoft-github-policy-service]

This issue will now be closed since it had been marked possibly-stale but received no further activity in the past 14 days. It is still possible to reopen or comment on the issue, but please note that the issue will be locked if it remains inactive for another 30 days.