ATA center certificate validation error - unknown certificate

Morten Houmann Jensen 1 Reputation point
2020-09-16T10:43:31.06+00:00

Hi

I'm having problems with a new install of ATA. No gateways are able to start the gateway service. They can connect and the update service starts fine.

The center logs shows this error

Error [CertificateValidator] System.IdentityModel.Tokens.SecurityTokenValidationException: Failed to validate certificate thumbprint [thumbprint=12045E195D6DB3C6E22B67D910B5A0904A5E36D8]

This thumbprint is not the ATA center certificate, and i cannot find it anywhere on the server. not in the DB configuration, or any config files.

I tried reinstalling the ATA center, and now i have 2! unknown certificates in the microsoft.tri.center log.

2020-09-16 08:56:14.7486 4744 7 Debug [CenterConfigurationManager] Starting

2020-09-16 08:56:14.8106 4744 14 Error [CertificateValidator] System.IdentityModel.Tokens.SecurityTokenValidationException: Failed to validate certificate thumbprint [thumbprint=C2F22478F31DAA2414C3ADDD9F1CC031368D9426]
at Microsoft.Tri.Infrastructure.Utils.CertificateValidator.Validate(String thumbprint)
at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c__DisplayClass3_0.<UseCertificateValidation>b__0(?)
at async Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1.Invoke[](?) at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c.<UseExceptionHandler>b__2_0(?) 2020-09-16 08:56:14.8106 4744 11 Error [CertificateValidator] System.IdentityModel.Tokens.SecurityTokenValidationException: Failed to validate certificate thumbprint [thumbprint=12045E195D6DB3C6E22B67D910B5A0904A5E36D8] at Microsoft.Tri.Infrastructure.Utils.CertificateValidator.Validate(String thumbprint) at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c__DisplayClass3_0.<UseCertificateValidation>b__0(?) at async Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware1.Invoke
at async Microsoft.Tri.Common.Management.AppBuilderExtension.<>c.<UseExceptionHandler>b__2_0(?)

I cannot find this setting anywhere and i believe this is whats causing the problems for the gateways.

The [CenterConfigurationManager] configuration only shows the correct ceritificate

"ServiceCertificateThumbprints": [
  "404530CEB8D9A06D327E1191CBAA03FCD1568ECF"
]

"SecretManagerConfiguration": {
"CertificateThumbprint": "404530CEB8D9A06D327E1191CBAA03FCD1568ECF"
},

Microsoft Configuration Manager
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eli Ofek (MSFT) 911 Reputation points Microsoft Employee
    2020-09-17T22:20:18.407+00:00

    Those are local Gateway self signed certs.
    When you install a Gateway, the deployment creates a local self signed cert, and register the gateway in the center with this cert's thumbprint.
    The error message you see means there is some gateway machine with the service starting up, and trying to connect to the center, but the cert is not known to be any of the certs currently registered in the center.
    This most likely happens if you have a gateway service installed, then you delete it from the console instead of uninstalling it (which will also unregister it).
    So you have the service keeps running, but the center won't accept its calls any more.
    (Common mistake is to think that it you delete the gateway from the console, it will be auto uninstalled from the machine, which is not true).
    In latest ATA releases, (1.9.2 + I believe) the message should contain additional details - which is the IP address of the machine that tried to connect.
    if it should be connected, then you only option is to uninstall and reinstall it so it will be registered in the center from scratch.

    0 comments