Owin Twitter login - the remote certificate is invalid according to the validation procedure

Question

I started getting this error recently when trying to login using twitter- any idea why?

Stack Trace:    [AuthenticationException: The remote certificate is invalid according to the validation procedure.]    System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +230    System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +13    System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +123  [WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]    System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +6432446    System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64 

Answer 1

Thanks to the power of open source we can see that the thumbprints for the twitter certificates have been coded in the Katana Project.

Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions 

Recently some certificates must have changed and now the thumbprints no longer match.

Please add a new thumb print for the "VeriSign Class 3 Public Primary Certification Authority - G5" Certificate to your Twitter Auth Options in your Startup.Auth.cs (for MVC users).

Change from the default:

app.UseTwitterAuthentication(     consumerKey: "XXXX",     consumerSecret: "XXX" ); 

Use this:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions {     ConsumerKey = "XXXX",     ConsumerSecret = "XXXX",     BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]     {         "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2         "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3         "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5         "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4         "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C‎A          "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA     }) });