In my system, the client tells the configuration for a e-mail service, that is responsable to deliver and receive the log communications inside the system. I'm getting this error when I try to test the connection with an SSL IMAP server, from a production Windows 2008 R2 Server, using MailKit, inside an ASP.NET web site:
Exception: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Security.Cryptography.X509Certificates.X509ChainStatus status: RevocationStatusUnknown - "The revocation function was unable to check revocation for the certificate"
When I try to connect from my pc or from a Virtual Machine Windows 2008 R2 server, the connection is succesfull. And more, when I try to connect via command line with OpenSSL.dll from the production server, the connection is succesfull. I made a console application with the same code, no changes, and this application can connect with the IMAP server, but, when the connection is made from the website or from the service, the error is thrown.
Here's the code:
//test method
public bool Testar()
{
try
{
using (var client = new MailKit.Net.Imap.ImapClient(new MailKit.ProtocolLogger("IMAP.log")))
{
client.ServerCertificateValidationCallback = VerificarErrosCertificadosServer;
client.Connect(host, this.IsSSl);
client.Authenticate(emailUserName, emailPassword);
var inbox = client.Inbox;
inbox.Open(folderAccess);
client.Disconnect(true);
return true;
}
}
catch (Exception ex)
{
Log.Error(ex);
return false;
}
}
//VerificarErrosCertificadosServer method
private static bool VerificarErrosCertificadosServer(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
Log.Info("System.Security.Cryptography.X509Certificates.X509ChainStatus status: " + status.Status.ToString() + " - " + status.StatusInformation);
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates, untrusted root, but valid.
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// any error
return false;
}
}
}
}
return true;
}
else
{
return false;
}
}
Any ideas?
I've added an admin user to website appPool identity, and it worked. Now, I know what to do: I have to add an admin account to the appPool and to the service, thanks to @ebyrob.