In this article, we are going to explain and fix the issue related to SharePoint 2016 and Workflow Manager 1.1 CU2. In fresh SharePoint 2016 RTM Farm with Workflow Manager 1.1 installed, when we try to publish SharePoint 2013 Designer Workflow, we get the error, as shown below. “The remote certificate is invalid according to the validation procedure” in ULS logs as well as in the UI.
- 01/18/2016 16:25:17.53 w3wp.exe (kfsp:0x3764) 0x5758 SharePoint
- Server Workflow Services ahwae Medium Error publishing workflow
- definition (ItemUpdating) information: System.Net.WebException: The underlying
- connection was closed: Could not establish trust relationship for the SSL/TLS
- secure channel. ---> System.Security.Authentication.AuthenticationException:
- The remote certificate is invalid according to the validation procedure. at
- System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at
- System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of
- inner exception stack trace --- at
- Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
- at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult
- result) at
- Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T
- content) at
- Microsoft.Workflow.Client.WorkflowManagementClient.SendRequest[T](HttpWebRequest
- request, T content) at
- Microsoft.Workflow.Client.ScopeManager.PublishScopeInternal(ScopeDescription
- description, String[] pathSegments) at
- Microsoft.Workflow.Client.ScopeManager.PublishChildScope(String childScopeName,
- ScopeDescription description) at
- Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateServiceGroup(String
- scopeAddress, ScopeDescription serviceGroup) at
- Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.CreateOrUpdateServiceGroup(SPWeb
- lookupWeb, SPAppPrincipal app) at
- Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.<SetupApplicationEcosystem>b__3()
- at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
- secureCode) at
- Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
- secureCode, Object param) at
- Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
- secureCode) at
- Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.SetupApplicationEcosystem()
- at
- Microsoft.SharePoint.WorkflowServices.FabricWorkflowDeploymentProvider.PublishDefinition(WorkflowDefinition
- workflowDefinition) at
- Microsoft.SharePoint.WorkflowServices.WorkflowDefinitionStorageEventReceiver.PublishDefinition(SPItemEventProperties
- properties)
Root cause
We use the auto-generated certificate for Workflow Manager during the configurations. Due to this, we have a broken chain of the root certificate. The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.
Resolution
Simply build a trust between Workflow Manager and SharePoint 2016. For this, you have to export the Workflow Manager certs from WFM Server and upload into SharePoint 2016. Please follow the steps given below.
Export Certificate from Workflow Manager Server
- Login on the Sever with Farm credentials.
- Open IIS Manager > Sites > right click on Workflow Management site and then choose Edit Bindings.
- On this pop up, select Https port 12290 and then choose Edit.
- On this Po-up click View button in SSL certificate section.
- On this Certificate Window, Click Details tab.
- On the Details tab, choose Copy to file Certificate.
- On this wizard,
- Click Next.
- Choose No, do not export the private key.
- Choose DER encoded binary X.509 (.CER).
- Select the path, where you want to store Cert and give the name ( we give WFcert.cer).
- Click Finish.
- You will get the Export Successful message.
- Now, you have WFcert.cer
Note
In my case, I used the auto-generated Cert, so I have the only cert in the chain but if you are using SSL certs, then you have to export all the certificates in the path.
Import certificate to SharePoint 2016 Central Admin
- Copy the certificate from WFM Server to SharePoint Central Admin Server.
- Login with Farm administrator account.
- In SharePoint Central Administration site > Security > General Security > Manage Trust.
- On this page, click New.
- On this page, upload the certificates to SharePoint.
- Give some friendly name.
- Path, where the certificate is stored.
- Click OK.
- You will have to repeat the steps given above for every cert in the chain.
Import certificate to SharePoint PowerShell
- Login with Farm administrator credential on SharePoint Server.
- Launch the SharePoint PowerShell Window.
- Run Powershell given below.
- $trustCert = Get-PfxCertificate "F:\WFcert.cer"
- New-SPTrustedRootAuthority WFTrust -Certificate $trustCert
This concludes the article. We successfully fixed the certificate issue. Hope, this solves your issue.
Keep reading and liking.