SharePoint 2013 Server Troubleshooting: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Issue

Could not establish trust relationship for the SSL/TLS secure channel with authority

Environment:

SharePoint 2013 Farm with multiple nodes connected to connected to load balancer

have a Service Oriented architecture to connect other services from SharePoint app servers

SharePoint Nodes are connected to  other services using services oriented services using endpoint defined  

Symptoms:

  SharePoint servers communicate with Remote service using https protocol using   SSL.

When I check the validity of the remote certificate from the browser It depicts it is valid.

https://lh3.googleusercontent.com/8QSmmYFdYVRC2Li0LaqPBVd8ZXTpzPSmkOMPLDIHzAeQ3Qma7GiM8IQEfrmmOH1VjV-sxNaVoEw-Z3tzxRUnEuClJICM8bHLOOQZROoSE0Pk7qX7bYYefnKqGpgKVZaT6IqmyxInBx7o52P5XKD_Un_mh1v0PaLmXvC_bitK8WcAaktXAUmYYuemUutoF7VGfk8Qua_dIbfccfri6orBm5LGHYvYWgYkqemO25HWDu3SGe9kCm2VgUp-Bk3O59Vbo07OoOy2Az-YbkpTARXkHl3zhMfaIWoXDQExvD5htGlH7Kepm6PLg8B7SL24W1r5MSR5rbK0K7SmL471Vqg0c8H7Z_nseX4P3i7zUVM8uIYk0ryFzak6FBZDd2qn_t8j_x7ioeJeBj5EPpgrF1kOOBnevDFg4Z1iSu9_0ML66dhoashb2vTTHvDEyNXixebHnxO2Lthwg1TeKhyhctm-4dJJilcHZ-zORev_kxliiCTQoiKsZHuZq5A7rJCsQtYBMSmzs98hUIDTxdGQjl2VqYgQiR8OqQ2bMOhIs2-ApITJA146q99EHLlyp-hN6BTUlbUFPwJPwma4yirl2vsxs1TZBFn1bVGA89Z34hbkD8WNhN3hCnED-oH0NMD5WaEdrxgq8MLj0zsh1BAHQZeuT61uGDQOlhZblZ9xfa8iWy3DN-D7nrxAaco7zK8x-axN1INhtawe3C0A8kjac7U=w346-h115-no

Resolution

I took while me to figure this out. It is true it is about the certificate but it is not the end certificate.

a certificate chain is broken in the Intermediate level.

You can find this easily by checking details from Certificate.

https://lh3.googleusercontent.com/72iw_h7USPDhfKeMWJoVqVUXme4B8uPRgX9RtcoqNCEBL2-7dY2wigxsf5qflkyW7aji7Uih0WNabagkL1O_eSGG-tj2tUfgCLlKbMGUFDArlulqopseAYiNjAbXwGZ7E4ZYEHNQ31W-XwibgQO0cuDR8FvBArhSuMciZWdH0QQ3QtFSvBoZAk3e_zCr4KEKyFKptBfC03qwrRI3CiP76j-Qhq9TPIsKr8Sa1ZCcTXwm7wncHPxOPkxf1b5w0FcrAS-Qw5csjs3FHva3NLKIIORl5wj1LCyt3tIWNQ6VWEN5OxPUu9awSZKaooQhocf3qaLSL3Gso2a4AOQhuPjaCo-J5Vu1eo4B7dm2-Hbk-xt5FCcYV_iu0JX5DcdTarNiidogsYmUFO1Gpdjp0_ghFcEtk6GHuuT2s5cLR0GxsXHWZNGmYp7aaREzs3azZF48UWY-39z3gg_ru1Uyh3AXOeJRXZ3JFheoM9m9n5wj9Wz0PxtGQhiI0XhXjELDXFt6Mlm8PTFM6LKSGCtoCZmQZOV6Gc41SzYz9aEAWynahKxN6xNWH0ulCPO0DOu1BKZWU1BenMLEbXVO1FdtLDlDJ9Q2gvQKXczSvsKi6yAW1rfNQmzc0buiN_QhYyZQYC3xcFE4hHk-IK65On_SRQkaOGyYCxQzWhAgRyaS7ZKjpuTAiw8Rg-aA_nb-NKnfnZhvlClk7XuUcPjocIj4tlg=w350-h134-no

Then navigate to Certification Path

https://lh3.googleusercontent.com/adgukOIFv94bBbz9PyGnq0rTchJKaNN_JADvyZhq3J35pD5cOEQzzY-waQ0nxr1JEtElIbQU05sizmTCOwaLd5rv2ypexchg-wnflARni_xe5KsEFx4koULknOPMPd5ctne_taqbieo22diW1Lkb8jTIKQqGMCxOfHTHfw4vQGkAW2R97ZZGjyFLxnZKbHOtiClHyebiRFRAi250PeuS0eM_n-vWnebAydXWOlIsZuWT7NGuTrfzdaQYw5UAqe6Bo18YFg3DIRQxotNfFv3-CdJFJXriSp9h6-BKbuHf3IlsT1EcHC2C-uErijLHFppoZDO9o5IBFJQEfu1j69k4QHTJdsF0foc-FREb4NF7BB72dyG5iENHKT8WJiZpsD_p4UMnn3kNQZtdtjJu2c_sggIUeBl-BoL6CTMKl8zbc7y6NzNkFcE5GzEuMEF4BF8guUvjXIP2HpM4_LKTZHIs6D8Y7z_oDLN3aUq0xBl-aEQPe2I2tasrsROiRRwOVOTNeuuQeJtXx5IwfFNDSt_suFw5hXBHqXloRfkuRSGoOzxcD8l6U3ZqQCpyP1ugz03CUWd5LuJf6UC1yGq53H9VQf2ZnpG70MoBGxhG_sr11KK82bmH3dqt8vA0YwWHVbC8GBWCOTgWT0_VwraStTSEp8o6vRpFZILgdTAFhG8JicR-ohAkRj6mw8svZu4pHOkAN8_9t-kakln6s-joFhQ=w361-h181-no

You should see these Root and Intermediate as verified. If they are not valid or expired, you will see a warning sign near to the certificate.

How to Resolve

First, you need to understand, a browser or SSL communication to trust the traffic, all certificate change should be valid.

unless you can define your custom code to not to validate.

But,  If it is not valid or expired you need to trust them first in your machines (Root and Intermediate)

So to do that you need to install the Root and Intermediate in your initiator machine. In my case SharePoint servers.

Easiest Method

Open the certificate in the browser as I mentioned above and navigate to certification path.

Double click on the certificate.

https://lh3.googleusercontent.com/qA2CjiobbGcMEJU_-tUhKXHUTyq8AXCCeHgapEL1d-ICOFb6-gRhQ4plaiJU8--kcIo2a74_a79xYUVb8iEAqYiNATi_1-Dr9VJy_q2hR6Unnsuu0wPQyvi0b1PWGvgpZ4f14KWaCM2QuvMFFbZdvBvTWlimeGQJ5ZMQgcarB6Yg87fIFkQhlPCD_KjueaPYs_0m47LCf5pzZl_0vB7tXhaqd7DgJ1V0QWlkf2OOlamLGKJ8w1lmxZuZob7lQ3eLQzjnTkl-vk5riRIbj1DEC49E2dHVaPzWPWeZpWldIS5VXvbIpxjKwcguzTTJXu5K-vP_bjTe5ipcKiaGomtyJSOrwMB5Pk82h0ECcPokvIvvauMEd3Jfp8Rq51XvKdu72sAjbPUVcg1AYswlPhRRP83BiUDjkt1qrMyLhABuhHXrY_x_LYHAGgawgziwOrtHaxJf2UNA8a0EQPouUISCg0VxbxZKJh5oG8kDzR89EeIrY0-wpobWyDUiPZxuqd6H0URVQT1w8AB7tnDI9stx1PQd0z3TLeydvp-53zsaAOyLANVacI2yOI4CaV2dkLRFYb-mNiv9JQl0hQNUlWLjhlmyWe4jyIh_whzGgr0vzS9NiIFbXRn2m8Y7YFyPw4e50B88V26ctQe3crC_vNDzU3VBcVa42m2GRFaA55bUT2l0sJqRtDc-OpMCMVUuUvwQ3sHHo0S_NYNJ0Q3PSfI=w349-h457-no

Then you will see the details of the certificate.

then go to the details

Go to the Details and click of Copy to file ..

https://lh3.googleusercontent.com/mg7ay5vrb0DcuMjrzqHg1OCtRQj-DfQx1PzJbcif3lufPepHxyE-qxqN-yyWP6nG_nLiMlI7h5JfhZhmQ24bwcP9USUqU5EENuz4fSg3GDv8i_urArAlx-E225oUI_moYPFX3Pyf5geJ2xbqPaDdn6KOLqrAktBYi3HUBxnS3sigT4WCZEPqX0vkLB6wrIShtUhA0w_cR5Mr33gWNJPD4X4DuwcFaivFSr5ko_ydwMthc7X2-vkboYjuaXE8-AJB56-HXBCzbQ8dmmim4qK37wCPhgPYRGkOOTtKRhzvtk0MmYREwbCvmghfAJcfhcMPGvfFvksPyt4GLPjmYINugpvpPT4nZSjzCDhMLHcf_M9m7CUUDmSkCi0C1zIdoL0rsjkOqAKZzyG9IitB7BLQHGFkwQP9MMcSrqD1dBA4mETvnGanFsPl9gNR65NAppOxkUU7uajLp5yaFn-6tIqKUKznIKgDr6v_XqNutO-EP5f7x7S90roNTJiU74AaqDpFq4LSj1NCb-lCIDoKf0w1PAehZ9i5A69zzqhQLTjvWYcGhSV-KFar7pO54gj0ogWNlnGvhBe1_wflyasHZ_L2wiG3MQJlRoWF2We-unoM7Uej5DHnXmC9qeTtew6mrSYCdZ5RoFoih1P2HXbpwrVpu9zzI7hHVRsIdXdH6pIc9klvp3kltR4Un6_tujKTsLJzIvrnvMK-78d8JQQK_Zo=w425-h404-no

Here you can export the certificate to .cer format and save it any convenient location.

Then open the MMC console,

https://lh3.googleusercontent.com/BQjMZehr-7hrcSPkRXPp7xQV-liVPNgCOtjecnmU-fPqDB_Iu-AiW8VikpB4GmUo4lylwWT6rTDVv2B1J3GmyK5ZTjoCbwDD7hLvnH3AzNnsLfE-hjYdv9mr8inL74zQfflO1YBVgxHrtPwE3QR7GuLHdzc_lCkNxdJg2lrvhzsO-51Ty3UBSfAwWs6ei89PV1_Fo4Qo6BRpcgBFeqetD3_H6qD0sW5pODtC3aNnDjgKciwXNK590U8YrRzDTWWcPmDyKS9DQI21IudbgcRjgRbCy6eITW6z7fT-b2Yi8yGdLsv-pgZZ8jryv2Oxr015Jh1d_BZj23gBbGkD-Q8uC0Yk5-yAryDy8q7QJGlFnvK0KBrtX0VKX98lN1ityZF0Eu7tEy5ZxNsgFphBmZOeEGmC7upMfCsEDdCBemZNSQ2J-UhuqwrshVdTdNDILROso9wObk5O6UuOBNR_fx7o99GDX_VOmzZUQ4kH9znaEsUDyEw0cQGo9kGmmSoANnjLTjserLci9XM5dyO3bU9zBMWAiR6mc0Pvf_9QcyQU3wDYTvedVe0Ypo2j0BtcAF1kr6Fb4WEQgaiBtx1mBOw0ywMLuN1-TpCOMvYkl1LzOY9UtZYhpSMqsldy1Hgv04FhTts3nzyrqukxlkUcs5gXk7W_dDTWWPe6GqFaMsSf4dSEK3Z5h-MnGs_uPVmdmYDfSSsJPv8OL4-ySCKG0pk=w256-h173-no

and Add certificate using

File–> Add- Remove Snap-In

https://lh3.googleusercontent.com/ftpiJE2T6C4ZnXrEXQ1zXJCEqCw5e_iGtWHVImTR3vTET5efFAkJNoxsPLQbWG29VJbNsHA458WAtGduem2BNcgs2VND0LP9CO82940RP0D6LFacTxs6cXo8DrX9ec4UfdZeFDCpgChWy3oRhhjuKFQaLKhRKnaFo8Daxr6bphhO3vUFmMUTM51teD24lOrLIAIbgI_uwVjuEN3NyrK-eNzndGx0wKotSJc_0hEka9tzpN-6q7MXlwaXSBMfvxlkWXdzd8vF3ubTawdF3RHTIO8gnhTzPp9PtRFT04wSxIDkM1ffU-FUQ82kUf31gGA8W9Mu4CRD9ojxeCkptMKARtq4vPK5QD8vaxM2fCCJNFKMam1VPOBcUAJS7BO1mw-TNhKsW7Z7um6KeoV-r2-W4LJkzfTpOz4zsMC-aa2xiCSZZ9YuwqQgQF5BorRDcsIInzeB_CCFGDdRcLaGsNMoFRNlDffay_SgOdxU7bVRG2A-yCvOws3Ycgr7NJ61JxzhATdfvnSpQh0W-64CODe8199hj9VbtrwKGTOqQjxMabE3sZL9tLX0oJtzXssH83rLUMRWbX0ZAXcOX3NsQUrkxymvdg0vGSFE3VrksQsO4yiuI7I4pK3z_KcrhhgfGO9JmniufrSVtkVz3CZazet0Tj09UA5xRNgJxo3nM89AqcXAPSiaW_YXZWda-5rMvYiRMQMEG_87c7t873CIiQ0=w444-h194-no

Here you will prompt to select the location, where you can select the Computer Account.

and then Local Computer.

then Import your saved certificate to ROOT or Intermediate as you want

https://lh3.googleusercontent.com/qca1Sqi_dvMSmTngRJ9vgXcMIp3vq-w2eAoxmU8mTiEqL6DAGem_R88mza_9owMJfy0WSCpqazmONgpak262QKKhFEq3t5_SKpLVCODKdIcjSlLWf0JvYEygBUHn7mhcuYaeFdVClJUJeCsPQyzbk8PMIVav3L4rS7SlW_lRJr0ZAoZRvPJR9ZSCJQJ0F8zl8sYj8Zl1kgbnFLYoQ6SxTpksmA60o2Gy9epHXaMO5D43i6i_XdgV3RnadPNOdcdBKRUxaH_sigmyN5ZHP_p8qc4f1uNi54pzzGTMLtL-RsXskC_8mjRuScWrjNpxdt-mP-3XUvpv0IDMPs562UCafCyMaxv7kDF5xmpVvE_7yjNygkk89H0FUHKZ9smtdtzWnLFTILmaY-yUrAd3F9JXzCs-qakKF1rs0bjCoKyYU1cV9z9HotsoYNs6ZcbXJa3fIQTDfLlmkIFKsmqoiu7JO3aaEcdWKRNoPuWggoJItrBiUp74TcD-6m_ULcrpKK5XLcHHXX0V3_tqeuhETK6BFQzSGRuZ-uBGQ5D0ELgGgU6c9AZhtp_tlEFJj58zqiJIN28K-u79usdXQBDOPoYCVE1h4fYtVtkvhyisWNKkispBFXTdV6kNUDFPbBD74_WQJtbMOSROeKkCD_f3NfhLEK-dPt1iSqwyiNO813D5uaS3NuTUQmfs-eGekbadScIeS9ZriBSx38005GZD6pk=w453-h161-no