SP2019 error: An operation failed because the following certificate has validation errors:

Oleg Tserkovnyuk 586 Reputation points
2022-04-04T12:21:34.517+00:00

Hello,

Get error on the SP2019 when try to mail enable library.
Details from the ULS logs:

An operation failed because the following certificate has validation errors: Subject Name: CN=MyServer Issuer Name: CN=MyServer Thumbprint: MyThumbprint Errors: UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. . 616930a0-cd54-4062-e91a-9640c2b054c6

ListUpdate Failure: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolTok...

Application error when access /_layouts/15/EmailSettings.aspx, Error=The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolReque...

From what I found this might be related to the SharePoint Web Services. This service has https binding.
In my environment I have two WFEs, checked the service on each WFE from the IIS console - web service does not have SSL certificate assigned to the HTTPS binding, however SSL certificates are listed. One is expired, second is valid.
189734-1d.jpg

SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,897 questions
0 comments No comments
{count} votes

Accepted answer
  1. Echo Du_MSFT 17,141 Reputation points
    2022-04-20T08:53:00.033+00:00

    Hi @Oleg Tserkovnyuk ,

    Great to know that it works now and thanks for sharing the update here.

    By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others." and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:

    [SP2019 error: An operation failed because the following certificate has validation errors]

    ****Issue Symptom:****

    When we tried to mail enable library in SharePoint 2019, the following error will appear:

    An operation failed because the following certificate has validation errors: Subject Name: CN=MyServer Issuer Name: CN=MyServer Thumbprint: MyThumbprint Errors: UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. . 616930a0-cd54-4062-e91a-9640c2b054c6

    In our SharePoint 2019 environment, I have two WFEs, checked the service on each WFE from the IIS console - the web service doesn't have an SSL certificate assigned to the HTTPS binding, but has an SSL certificate listed. One is expired, and the other is valid.

    Current status:

    The issue is caused by an expired SSL certificate used by the SharePoint Central Administration.

    Fix this by removing the expired self-signed SSL certificate used by Central Administration.

    194588-ssl1.jpg

    194558-ssl2.jpg


    You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks for your understanding!

    Thanks,
    Echo Du

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Echo Du_MSFT 17,141 Reputation points
    2022-04-05T02:45:16.89+00:00

    Hi @Oleg Tserkovnyuk ,

    Since we're trying to access an HTTPS web service, we need to add SSL, which is still valid, to the SharePoint Trusted Root Authority.

    Please follow the steps:

    1.Go to Start >> Run >> Type MMC and then click on Ok.

    190001-c1.jpg

    2.In Microsoft Management Console, Click on the File >> Add\Remove Snap-in...

    189933-c2.jpg

    3.In the Add or Remove Snap-ins wizard, select Certificates from the available snap-ins and then click on Add.

    189963-c3.jpg

    4.Select My user account and click on Finish.

    190011-c4.jpg

    5.Certificate will be added and click on Ok.

    189992-c5.jpg

    6.In the left pane expand Certificates, and then expand Personal. Click on Certificates folder.

    7.Right click on the certificate, click on All Tasks >> Export.

    189973-c6.jpg

    8.Certificate Export Wizard will pop up, click on Next.

    190013-c7.jpg

    9.In the Export File Format select DER encoded binary X.509 (.CER) format.

    189974-c8.jpg

    10.In the File to Export click on Browse..., select the location and enter the Name.

    11.Click on Save, the certificate will be saved.

    190014-c9.jpg

    12.In the Certificate Export Wizard, click on Finish. You will be getting the following pop up, click on Ok.

    189838-c10.jpg

    13.Go to SharePoint 2019 Central Administration >> Security >> Manage Trust.

    190015-c11.jpg

    14.In the ribbon interface, go to Trust Relationships Tab >> Click on New button.

    15.In the Root Certificate to trust relationship section, click on Browse.... Select the certificate that we have exported.

    189934-c12.jpg

    16.Certificate is imported to the SharePoint Trusted root Authority.

    189947-c13.jpg

    Here is a similar case for your reference:

    Thanks,
    Echo Du

    =============================================

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Oleg Tserkovnyuk 586 Reputation points
    2022-04-05T09:37:42.353+00:00

    Hi,

    Thank you for response.
    Tried, unfortunately did not help.

    In my case the certificate was located in the "Trusted Root Certification Authorities > Certificates".

    0 comments No comments

  3. Oleg Tserkovnyuk 586 Reputation points
    2022-04-14T13:54:14.837+00:00

    Issue was caused by the expired self-signed SSL certificate used by Central Administration.