Owin Twitter login - the remote certificate is invalid according to the validation procedure

Question

I started getting this error recently when trying to login using twitter- any idea why?

Stack Trace: 


[AuthenticationException: The remote certificate is i         


        

Answer 1

To sum up and save people digging through the comments, here the latest config:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new Microsoft.Owin.Security.CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "‎add53f6680fe66e383cbac3e60922e3b4c412bed", // Symantec Class 3 EV SSL CA - G3
        "4eb6d578499b1ccf5f581ead56be3d9b6744a5e5", // VeriSign Class 3 Primary CA - G5
        "5168FF90AF0207753CCCD9656462A212B859723B", // DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" // DigiCert High Assurance EV Root CA
    })
});

All credits to @MichaelLake and @KennethIto.

Answer 2

The DigiCert SHA2 High Assurance Server C‎A value of "5168FF90AF0207753CCCD9656462A212B859723B" doesn't seem to be valid. The new value is "01C3968ACDBD57AE7DFAFF9552311608CF23A9F9". It's valid from 6/28/2016 to 9/19/2019. I found it by going to https://api.twitter.com/ in Chrome, then clicking on the padlock in the address bar to view the certificate.

Answer 3

I had the same issue, and I have updated the callback URL in my Twitter App.

Adding the default URL https://mywebsite/signin-twitter

Answer 4

For me, just updating Microsoft.Owin.Security.Twitter to version 3.1.0 fixed it, even without adding the thumbprints!

Answer 5

Thanks to the power of open source we can see that the thumbprints for the twitter certificates have been coded in the Katana Project.

Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions

Recently some certificates must have changed and now the thumbprints no longer match.

Please add a new thumb print for the "VeriSign Class 3 Public Primary Certification Authority - G5" Certificate to your Twitter Auth Options in your Startup.Auth.cs (for MVC users).

Change from the default:

app.UseTwitterAuthentication(
    consumerKey: "XXXX",
    consumerSecret: "XXX"
);

Use this:

app.UseTwitterAuthentication(new TwitterAuthenticationOptions
{
    ConsumerKey = "XXXX",
    ConsumerSecret = "XXXX",
    BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]
    {
        "A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
        "0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
        "7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
        "39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
        "5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server C‎A 
        "B13EC36903F8BF4701D498261A0802EF63642BC3" //DigiCert High Assurance EV Root CA
    })
});

Answer 6

I had this exact problem I followed the post above and I got the 401 (unauthorized) error mentioned in another comment.

I went to my Twitter dev account and unchecked a box titled: "Enable Callback Locking". Clicked save, hit F5 and it worked.

So the above code worked for me. If you get a 401 double check your Twitter account for the checkbox.