microsoft
SSL Connection fails after update to version 25 (25.0.23364.25412)
-
Describe the bug HttpClient call fails with: "The SSL connection could not be established; the remote certificate is invalid because of errors in the certificate chain: UntrustedRoot, RevocationStatusUnknown, OfflineRevocation" in version 25, SaaS environment. In older versions and Docker (https://bcartifacts.azureedge.net/sandbox/25.0.23364.25738/nl), the same call works without problems.
-
To Reproduce var Client: HttpClient; ... Client.Clear(); Client.AddCertificate(Certificate1Base64, Certificate1PassPhrase);
clear(ResponseMsg); if (NOT Client.Send(RequestMsg, ResponseMsg)) then Error(GLB_MSG_ERROR, 'Client.Get', GetLastErrorText(),'');
The certificate used is the "PKI-Overheid certificate" (https://www.pki-overheid-certificaat.nl/certificaten/), which is used to authenticate Dutch government APIs.
-
Expected behavior The HttpClient call succeeds.
-
Actual behavior The HttpClient call fails with the following GetLastErrorText(): "The SSL connection could not be established, see inner exception. The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot, RevocationStatusUnknown, OfflineRevocation"
-
Versions:
- AL Language: V14
- Visual Studio Code:
- Business Central: 25.0.23364.25412 (SaaS)
- List of Visual Studio Code extensions that you have installed:
- Operating System:
- [ *] Windows
- [ ] Linux
- [ ] MacOS
Final Checklist
Please remember to do the following:
-
[ X] Search the issue repository to ensure you are reporting a new issue
-
[ X] Reproduce the issue after disabling all extensions except the AL Language extension
-
[ X] Simplify your code around the issue to better isolate the problem
The error message is about the remote certificate. That means it is not about the client certificate but about the SSL certificate used by the endpoint https://api.mijn.overheid.nl.
The certificate used by this site is issued by a certificate authority that is not in the trusted store. See also this report: https://www.ssllabs.com/ssltest/analyze.html?d=api.mijn.overheid.nl
In BC v25 the default behavior of the HttpClient for certificate validation has changed. I couldn't find any documentation, but Stefano Demiliani blogged about it here: https://demiliani.com/2024/09/23/dynamics-365-business-central-httpclient-and-remote-certificate-validation-future-changes/
In my opinion, this change should have been documented properly because it is a breaking change (maybe I didn't search good enough?). And we should get an option to bypass the validation check or, even better, provide the root certificate to the HttpClient as a custom trusted root certificate.
I have the same issue, currently blocking the entire project development if we dont get a way to provide the root certificate(s)
I have also same issue. This is also breaking focalizations/einvoices in most countries...
In Serbia simply pulling configuration or allowed tax-rates doesn't work anymore: https://api.suf.purs.gov.rs/api/v3/tax-rates https://api.suf.purs.gov.rs/api/v3/configuration
Government site...
It is working again in v25.0 and v25.1, in both production and sandbox environments. Did some research and wrote a blog post: https://www.kauffmann.nl/2024/12/02/httpclient-and-certificate-validation-in-business-central-v25/
Hi, I wonder if these are related and if anyone has pointers how to call an api inside docker from within the same container. The self-signed certificate causes an error in calling the api from Graph library.
https://github.com/issues/created?issue=microsoft%7CALAppExtensions%7C29497
It did not help to install the self-signed certificate in the container by running this in the container's Powershell Import-Certificate -FilePath C:\folder\certificate.cer -CertStoreLocation Cert:\LocalMachine\Root
