App Store - Error! The SSL connection could not be established, see inner exception.

[Flagelmann]

Hello,

I'm getting the following error while trying to get the list of available apps from within the Technitium DNS portal.

The rest of the functionalities of the DNS server are working.

[ShreyasZare]

Thanks for the post. Check the DNS logs from the admin web panel and see if there is any error logged in there related to this. Post any such error log here to help understand the issue better.

[Flagelmann]

The DNS log is and remain empty after triggering that error (I tried also first emptying the actual logs and the re-triggering the error to check more clearly any specific entry for this issue).

What is the URL that the App Store should contact to retrieve the app list?

EDIT: the only "error" that I got, but it is not related to this issue it seems, is the following (I'm using the latest version of the DNS Server, 11.5.3):

[2023-12-29 12:28:10 Local] [192.168.1.11:56277] Check for update was done {updateAvailable: False;} System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem) at System.Threading.Tasks.TaskCompletionSourceWithCancellation1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.HttpConnectionWaiter1.WaitForConnectionAsync(Boolean async, CancellationToken requestCancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at TechnitiumLibrary.Net.Http.Client.HttpClientNetworkHandler.InternalSendAsync(HttpRequestMessage request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Http\Client\HttpClientNetworkHandler.cs:line 99 at TechnitiumLibrary.Net.Http.Client.HttpClientNetworkHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Http\Client\HttpClientNetworkHandler.cs:line 242 at System.Net.Http.HttpClient.GetStringAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) at DnsServerCore.WebServiceApi.GetCheckForUpdateJsonData() in Z:\Technitium\Projects\DnsServer\DnsServerCore\WebServiceApi.cs:line 82 at DnsServerCore.WebServiceApi.CheckForUpdateAsync(HttpContext context) in Z:\Technitium\Projects\DnsServer\DnsServerCore\WebServiceApi.cs:line 153

[Flagelmann]

Basically it seems that there is a remote certificate issue (NotTimeValid). Is it expired?

[ShreyasZare]

Thanks for the details. The URL that is used to fetch the data is: https://download.technitium.com/dns/apps/apps2.json

The certificate is valid and its working well from multiple locations. Try that URL from any web browser and see if its loading from your location.

[Flagelmann]

Ok, I checked the URL and all the specs about the certificate.

So you are using Let's Encrypt and I think that that's the "issue", I mean, the issue is not Let's Encrypt itself, but the ISRG Root X1 certificate in the authority chain.

I had some issues with that certificate a while ago and then I switched to ZeroSSL to get rid of it on the Linux system.

I checked the system CA certificates and they seems ok, but probably that certificate is not being accepted for some reason (on my system).

[ShreyasZare]

Ok, I checked the URL and all the specs about the certificate.

So you are using Let's Encrypt and I think that that's the "issue", I mean, the issue is not Let's Encrypt itself, but the ISRG Root X1 certificate in the authority chain.

I had some issues with that certificate a while ago and then I switched to ZeroSSL to get rid of it on the Linux system.

I checked the system CA certificates and they seems ok, but probably that certificate is not being accepted for some reason (on my system).

That issue is quite old actually and has been discussed already in #335. You can use this fix discussed here.

[Flagelmann]

Ok, fixed that.

There was a legacy entry in the /etc/ca-certificates.conf and two legacy .pem files related to the ISRG Root X1 in /etc/ssl/certs/. I have manually cleaned up the .conf and the two .pem files and restarted the DNS Server.

Now the App Store is working again. :)

Thanks a lot.

[ShreyasZare]

Good to know it worked.