none
Could not establish trust relationship for the SSL/TLS secure channel.

    Question

  •  

    Hi,

     

    I have just installed SQL Server 2008 Feb CTP. When I try and open the Reporting Services webpage i.e. http://Reportserver/Reports/ I get the error:

     

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

     

    In the Reporting Services config, i can't see how to turn this off, apart from removing the SSL entry (port 443 details etc), but this just creates another error.

     

    I am more a developer, so don't really understand SSL, I am just trying to display some reports I have created in 2008.

     

    I am running this on Windows XP.

     

    Many thanks

     

    Brett

    Wednesday, February 27, 2008 8:53 AM

Answers

  • SSL is a little complex and there are a number of things to investigate.

     

    When using SSL, using the incorrect URLs can result in failures like the one you listed above. 

     

    Check the SSL Certificate (steps for viewing certificates are listed below):

    ·         The value in Issued To is what you need to provide in the URL.  If Issue To is "machine.domain.com" then typing http://localhost...  in the browser will fail.  Instead try https://<IssuedTo>...

    ·         Intended Purposes must include Server Authentication

    ·         Ensure the SSL Certificate is issued by a certificate authority recognized by your Domain Controller.  Otherwise Report Manager will fail to connect to Report Server.  Self signed certificates do not work.

     

    In Reporting Services Configuration Manager:

    • Ensure a SSL URL is reserved and that a valid certificate is selected
    • Ensure the IP address selected for the certificate binding is correct

     

    In rsreportserver.config

    • Set HostName property to the value of IssuedTo, or
    • Set ReportServerURL explicitly
    • To disable SSL by default set SecureConnectionLevel to 0

    To see the certificates your using:

    • use mmc (Start --> run --> mmc --> enter)
    • Add the Certificates Add in (File --> Add/Remove Snap-in --> Add... --> Certificates)
    • Select Computer Account (Next --> Finish --> Close --> OK)
    • Under Console Root look at the "Personal" certificates.  If you're using a command line tool instead, the certificates are in the "MY" store.
    • Expand Certificates (Local Computer), Expand Personal, Click on Certificates
    • SSL can use any certificate in this store where the Intended Purposes list contains "Server Authentication"

    Thanks,

    -Lukasz

     

    Wednesday, February 27, 2008 5:42 PM
    Moderator
  •  

    Hi Lukasz,

     

    Sorry I have only just had time to try this again.

     

    I started from scratch again, to make sure I was not getting the "collecting CTP's" issue the other poster mentioned.

    I installed a fresh copy of Windows Server 2003 (on a formated server). Installed .net 3.5, and then Installed the Feb CTP.

     

    Went into bids and tried to deploy to http://localhost/reportserver and got a SSL/TLS secure channel error again.

     

    Change the SecureConnectionLevel to 0 and rebooted, and then it worked.

     

    many thanks

     

    Brett

     

    Wednesday, March 05, 2008 3:03 PM

All replies

  • I had the same error. I thought it was a result of accumulating CTPs. I couldn't figure out a solution by changing the config files. I solved the issue by:

    1. Uninstalling Reporting Services only.
    2. Removing all Reporting Services folders under C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services.
    3. Installing Reporting Services. Since CTP Feb doesn't support adding features through the setup UI, I had to add RS from the command line, as explained in the How to: Install SQL Server 2008 from the Command Prompt topic in BOL.
    Code Snippet

    Setup.exe /q /ACTION=Install /FEATURES=RS /INSTANCENAME=MSSQLSERVER /RSSVCACCOUNT="DomainName\UserName" /RSSVCPASSWORD="StrongPassword"

     

     

    Wednesday, February 27, 2008 2:06 PM
    Moderator
  • SSL is a little complex and there are a number of things to investigate.

     

    When using SSL, using the incorrect URLs can result in failures like the one you listed above. 

     

    Check the SSL Certificate (steps for viewing certificates are listed below):

    ·         The value in Issued To is what you need to provide in the URL.  If Issue To is "machine.domain.com" then typing http://localhost...  in the browser will fail.  Instead try https://<IssuedTo>...

    ·         Intended Purposes must include Server Authentication

    ·         Ensure the SSL Certificate is issued by a certificate authority recognized by your Domain Controller.  Otherwise Report Manager will fail to connect to Report Server.  Self signed certificates do not work.

     

    In Reporting Services Configuration Manager:

    • Ensure a SSL URL is reserved and that a valid certificate is selected
    • Ensure the IP address selected for the certificate binding is correct

     

    In rsreportserver.config

    • Set HostName property to the value of IssuedTo, or
    • Set ReportServerURL explicitly
    • To disable SSL by default set SecureConnectionLevel to 0

    To see the certificates your using:

    • use mmc (Start --> run --> mmc --> enter)
    • Add the Certificates Add in (File --> Add/Remove Snap-in --> Add... --> Certificates)
    • Select Computer Account (Next --> Finish --> Close --> OK)
    • Under Console Root look at the "Personal" certificates.  If you're using a command line tool instead, the certificates are in the "MY" store.
    • Expand Certificates (Local Computer), Expand Personal, Click on Certificates
    • SSL can use any certificate in this store where the Intended Purposes list contains "Server Authentication"

    Thanks,

    -Lukasz

     

    Wednesday, February 27, 2008 5:42 PM
    Moderator
  • Are you still having trouble connecting?  If not, please mark a post on this thread as the answer to your question, or provide input on what you had to do to make it work.

     

    Otherwise, I'll mark my post above as an answer in 3 days if I do not hear back.

     

    Thanks,

    -Lukasz

    Monday, March 03, 2008 6:06 PM
    Moderator
  •  

    Hi Lukasz,

     

    Sorry I have only just had time to try this again.

     

    I started from scratch again, to make sure I was not getting the "collecting CTP's" issue the other poster mentioned.

    I installed a fresh copy of Windows Server 2003 (on a formated server). Installed .net 3.5, and then Installed the Feb CTP.

     

    Went into bids and tried to deploy to http://localhost/reportserver and got a SSL/TLS secure channel error again.

     

    Change the SecureConnectionLevel to 0 and rebooted, and then it worked.

     

    many thanks

     

    Brett

     

    Wednesday, March 05, 2008 3:03 PM
  • Hi SSRS users

     

    I got the same error with SSRS 2005.

     

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

     

    My cert was issued from my DC's CA... everything in IIS appeared to be correct.

     

    I found that after issuing the cert, I needed to open the Reporting Services Configuration tool,

    goto the "Report Server Virtual Directory" setting and manually type in the Certificate Name. 

     

    Chris Betlach

    Tuesday, March 11, 2008 4:54 PM
  • I'm with this same problem. some one have more details about it.

    Check the SSL Certificate (steps for viewing certificates are listed below):

    ·          The value in Issued To is what you need to provide in the URL.  If Issue To is "machine.domain.com" then typing http://localhost ...  in the browser will fail.  Instead try https://<IssuedTo >...


     

    I can navegate in https://MySite/ReportServer. This is in https request. This means that certificate configuration  is fine?


    ·          Intended Purposes must include Server Authentication

    ·          Ensure the SSL Certificate is issued by a certificate authority recognized by your Domain Controller.  Otherwise Report Manager will fail to connect to Report Server.  Self signed certificates do not work.


    My certification Test

    Certificate Client: https://digitalid.certisign.com.br/trial/cgi-bin/getcacert


    In Reporting Services Configuration Manager:

    • Ensure a SSL URL is reserved and that a valid certificate is selected
    Where RS choose a certification? For me until a install a certificate, the check box in Report Service Virtual directorywas unable. But i didnt choose a certification. I just installed on in IIS.
    • Ensure the IP address selected for the certificate binding is correct
    I dont know where i can check it.

    In rsreportserver.config

    • Set HostName property to the value of IssuedTo, or
    ??? I have no idea.
    • Set ReportServerURL explicitly
    OK
    • To disable SSL by default set SecureConnectionLevel to 0
    How i can do that if it is a combobox starting with 1???

     

     

    My doubt is i have read that Certificate Name is Machine name, root name and other things...

     

    Can some one help me?

     



    Friday, July 24, 2009 9:22 PM
  •  The value in Issued To is what you need to provide in the URL.  If Issue To 

     

    We have Issued to as  *.domain.com

     

    Then what should I change the url to?

     

    Thursday, April 15, 2010 9:47 PM
  • I am getting the " Could not establish trust relationship for the SSL/TLS secure channel " error.  When you say to ensure the SSL certificate issued by a CA recognized by the DC, I assume that you mean the certificate is installed on the DC.  Is that correct?  To install it, do I use the MMC snap in on the DC?  Do I put the certificate in the Personal folder?  Do I need to use ADCS?  Can you send me a link for the right approach?

    Wednesday, January 05, 2011 3:06 PM
  • I am not sure if wildcard certificate is supported for SSRS :(

    -- Hrvoje Kusulja

    Sunday, March 10, 2013 11:13 AM
  • It looks like SSRS report manager doesn't support wildcard certificates...
    Monday, March 18, 2013 12:51 PM
  • We have checked Microsoft documentation, but there is no warning or notification that a wildcard certificate is not supported for reporting.

    Are we sure, it is possible to set this up in SQL (2012 and 2014), but Lync does not do the deploy of monitoring reports. The sites itself are ok in IE, no warning about SSL certificates (100% ok).

    The Lync wizard is making a mistake, the site can be opened on fqdn. If I look in the wizard log file, lync works with the short name (not the FQDN).

    Is there a Microsoft statement, that we can not use a wildcard certificate ? (I did not find it yet).

    Thursday, June 25, 2015 12:51 PM
  • "Self signed certificates do not work."

    Hi,

    Are you saying it is not possible to use SS certs with this? I am implementing a thin client application and we have it working through windows auth but the SSL is throwing an error when using a self signed cert generated (and the root cert) through using makecert.exe

    I've bound the cert thumbprint and a guid to the port using netsh http add sslcert ipport=0.0.0.0:8088 certhash=CERTIFICATE_THUMBPRINT appid={GENERATED_GUID}

    Just checking, this is not the root cert but the self signed cert, this then containes the FQDN in the subject line, this is the bit i think might be wrong. 

    Essentially, at the end of the process, i am not getting any success in this application working over SSL and just get

    Could not establish trust relationship for the SSL/TLS secure channel

    Can anyone provide any usefull information or hints with this ?

    Thanks in advance,

    Roy


    Monday, January 09, 2017 4:09 PM
  • Hi,

    I had the same issue. Finally, changed the SecureConnectionLevel to 0 in the rsreportserver.config file.  This allows you to access the reportserver without using ssl.  This did the trick for me.

    Of course, wasted about 4 hours trying to figure this out.  :-(  

    <Add Key="SecureConnectionLevel" Value="0"/>

    • Proposed as answer by Ati.sz Monday, July 10, 2017 6:14 AM
    Thursday, April 06, 2017 8:09 PM