Resolving Invalid Remote Certificate Error In SharePoint Workflow Manager

In this article, we are going to explain and fix the issue related to SharePoint 2016 and Workflow Manager 1.1 CU2. In fresh SharePoint 2016 RTM Farm with Workflow Manager 1.1 installed, when we try to publish SharePoint 2013 Designer Workflow, we get the error, as shown below. “The remote certificate is invalid according to the validation procedure” in ULS logs as well as in the UI. 

  1. 01/18/2016 16:25:17.53    w3wp.exe (kfsp:0x3764)    0x5758    SharePoint  
  2. Server    Workflow Services    ahwae    Medium    Error publishing workflow  
  3. definition (ItemUpdating) information: System.Net.WebException: The underlying  
  4. connection was closed: Could not establish trust relationship for the SSL/TLS  
  5. secure channel. ---> System.Security.Authentication.AuthenticationException:  
  6. The remote certificate is invalid according to the validation procedure.     at  
  7. System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)     at  
  8. System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)     --- End of  
  9. inner exception stack trace ---     at  
  10. Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)      
  11. at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult  
  12. result)     at  
  13. Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T  
  14. content)     at  
  15. Microsoft.Workflow.Client.WorkflowManagementClient.SendRequest[T](HttpWebRequest  
  16. request, T content)     at  
  17. Microsoft.Workflow.Client.ScopeManager.PublishScopeInternal(ScopeDescription  
  18. description, String[] pathSegments)     at  
  19. Microsoft.Workflow.Client.ScopeManager.PublishChildScope(String childScopeName,  
  20. ScopeDescription description)     at  
  21. Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateServiceGroup(String  
  22. scopeAddress, ScopeDescription serviceGroup)     at  
  23. Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateOrUpdateServiceGroup(SPWeb  
  24. lookupWeb, SPAppPrincipal app)     at  
  25. Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.<SetupApplicationEcosystem>b__3()      
  26. at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated  
  27. secureCode)     at  
  28. Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback  
  29. secureCode, Object param)     at  
  30. Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated  
  31. secureCode)     at  
  32. Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.SetupApplicationEcosystem()      
  33. at  
  34. Microsoft.SharePoint.WorkflowServices.FabricWorkflowDeploymentProvider.PublishDefinition(WorkflowDefinition  
  35. workflowDefinition)     at  
  36. Microsoft.SharePoint.WorkflowServices.WorkflowDefinitionStorageEventReceiver.PublishDefinition(SPItemEventProperties  
  37. properties)    

Root cause

We use the auto-generated certificate for Workflow Manager during the configurations. Due to this, we have a broken chain of the root certificate. The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.

Resolution

Simply build a trust between Workflow Manager and SharePoint 2016. For this, you have to export the Workflow Manager certs from WFM Server and upload into SharePoint 2016. Please follow the steps given below.

Export Certificate from Workflow Manager Server

  • Login on the Sever with Farm credentials.
  • Open IIS Manager > Sites > right click on Workflow Management site and then choose Edit Bindings.
  • On this pop up, select Https port 12290 and then choose Edit.
  • On this Po-up click View button in SSL certificate section.
  • On this Certificate Window, Click Details tab.
  • On the Details tab, choose Copy to file Certificate.
  • On this wizard,

    • Click Next.
    • Choose No, do not export the private key.
    • Choose DER encoded binary X.509 (.CER).
    • Select the path, where you want to store Cert and give the name ( we give WFcert.cer).
    • Click Finish.
    • You will get the Export Successful message.

  • Now, you have WFcert.cer

Note

In my case, I used the auto-generated Cert, so I have the only cert in the chain but if you are using SSL certs, then you have to export all the certificates in the path.

Import certificate to SharePoint 2016 Central Admin

  • Copy the certificate from WFM Server to SharePoint Central Admin Server.
  • Login with Farm administrator account.
  • In SharePoint Central Administration site > Security > General Security > Manage Trust.
  • On this page, click New.
  • On this page, upload the certificates to SharePoint.

    • Give some friendly name.
    • Path, where the certificate is stored.
    • Click OK.

  • You will have to repeat the steps given above for every cert in the chain.

Import certificate to SharePoint PowerShell

  • Login with Farm administrator credential on SharePoint Server.
  • Launch the SharePoint PowerShell Window.
  • Run Powershell given below. 
  1. $trustCert = Get-PfxCertificate "F:\WFcert.cer"  
  2. New-SPTrustedRootAuthority WFTrust -Certificate $trustCert   

This concludes the article. We successfully fixed the certificate issue. Hope, this solves your issue.

Keep reading and liking.