Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
DavidFrohlich
New Member

Problem after SSL certificate expired

‎07-12-2023 12:51 PM

On one of our PBIRS servers, the SSL certificate expired. We installed a new certificate, switched the bindings for Web Portal & Web Service to point to the new certificate and removed the old one, but now we are encountering problems when accessing any report via the portal.

 

This is the error message:

 

Capture_PBIRS.PNG

 

In our log file we have this message, corresponding to when someone clicks a report:

 

 

2023-07-12 14:51:36.7074|ERROR|12|OData exception occurred: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.ReportingServices.Portal.ODataWebApi.Utils.PbixReportHelper.ShouldReShred(PowerBIReport entity, Uri basePortalUrl, ILogger logger, IPrincipal userPrincipal, String reportServerHostName)
   at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetItem(String key)
   at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetAllowedActions(String Id)
   at Microsoft.ReportingServices.Portal.ODataWebApi.V2.Controllers.PowerBIReportsController.GetAllowedActions(String Id)
   at lambda_method(Closure , Object , Object[] )
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters)
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext().| RequestID = s_34e542e5-abf2-4042-984b-76dedbf4432c

 

 

We were running the Jan 2023 version of PBIRS, and tried upgrading to May 2023 to resolve, but the problem remains.

 

Any suggestions for fixing this are appreciated.

 

 

Message 1 of 11
433 Views
0
10 REPLIES 10
ChrisMuthmann
Resolver II
Resolver II

‎04-10-2024 01:33 AM

Try to remove the following registry if you have problems during startup key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443

Then you can proceed with certificate binding.
(BTW my latest posts seems to be deleted, so I try his one with a different wording)

Message 11 of 11
197 Views
0
ChrisMuthmann
Resolver II
Resolver II

‎04-10-2024 12:37 AM

My steps are a little different:

  1. Remove the bindings to the expired certificate
  2. Restart the server
  3. Create a new certificate
  4. Add the bindings to the new certificate (this will restart reportserver implicitly)
Message 9 of 11
204 Views
0
ChrisMuthmann
Resolver II
Resolver II
In response to ChrisMuthmann

‎04-10-2024 12:41 AM

To repair a damaged installation this should help:

https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-ssl-connections-on-a-nat...

If you remove TLS bindings for Reporting Services using the Report Server Configuration Manager, TLS may no longer work for Web sites on a server that is running Internet Information Services (IIS) or on another HTTP.SYS server. Reporting Services Configuration Manager removes the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 When this registry key is removed, the TLS binding for IIS is also removed. 

Message 10 of 11
184 Views
0
johnbasha33
Impactful Individual
Impactful Individual

‎04-09-2024 10:42 AM

@DavidFrohlich 

The error message indicates that there's an issue with the SSL/TLS certificate validation when establishing the connection to the PBIRS server. This can happen if the new SSL certificate is not trusted or if there are certificate chain issues.

Here are some steps you can take to troubleshoot and resolve the issue:

  1. Verify SSL Certificate Installation: Double-check that the new SSL certificate is installed correctly on the PBIRS server. Ensure that the certificate is valid, not expired, and matches the server's hostname.

  2. Check Certificate Chain: Make sure that the SSL certificate chain is configured correctly. The certificate chain should include all necessary intermediate and root certificates to establish trust. You can use tools like OpenSSL to inspect the certificate chain.

  3. Ensure Proper Binding: Verify that the new SSL certificate is properly bound to the PBIRS website in IIS. Check the bindings for both the Web Portal and Web Service endpoints to ensure they are using the correct SSL certificate.

  4. Update Trusted Root Certificates: Ensure that the client machine accessing the PBIRS server has the updated trusted root certificates. Sometimes, outdated root certificates can cause SSL/TLS validation errors. You may need to update the root certificates on the client machine.

  5. Check Firewall and Proxy Settings: Make sure that there are no firewall or proxy settings blocking the SSL/TLS connection between the client and the PBIRS server. Ensure that the necessary ports (e.g., 443 for HTTPS) are open and accessible.

  6. Review TLS Configuration: Verify the TLS configuration on the PBIRS server and client machines. Ensure that both are configured to use a compatible version of TLS (e.g., TLS 1.2) and that any deprecated versions (e.g., SSL 3.0) are disabled.

  7. Enable Detailed Error Logging: Increase the logging level for PBIRS to capture more detailed error messages. This can help identify the specific cause of the SSL/TLS validation error.

  8. Consult IT Security: If you're still unable to resolve the issue, consider consulting your organization's IT security team or a qualified SSL/TLS certificate expert for further assistance. They may be able to provide additional insights or guidance on resolving certificate-related issues.

    Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

Message 5 of 11
235 Views
0
KogerMD
New Member
In response to johnbasha33

‎04-09-2024 11:04 AM

Hi, I have verified the SSL certificate, certificate chain, and the binding. The issue that I am running into is only occurring with Power BI reports. I am able to open SSRS reports/etc without any issues. It's also only occurring when viewing the site using HTTPS. If I use HTTP, I am able to open Power BI reports with no issues. I tested accessing both the /Reports and /ReportServer URLs and I can see that they both use the new SSL certificate. It looks like the service that PBIRS uses to display the Power BI reports is still holding on to the old (expired) certificate for some reason. 

Message 6 of 11
233 Views
0
lbendlin
Super User
Super User
In response to KogerMD

‎04-09-2024 12:19 PM

have you restarted that service/server ?

Message 7 of 11
230 Views
0
KogerMD
New Member
In response to lbendlin

‎04-09-2024 04:13 PM

Yes, I did restart both the service and server multiple times. I even uninstalled, rebooted the server, re-installed and still ran into the same issue. I have since managed to resolve the issue, although I'm not sure what the fix exactly was. I was trying a few things and I added a host header on the HTTP binding. I'm not sure why exactly that would have changed anything, but since I did that, I no longer get the error that I was getting before (The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.)

Message 8 of 11
221 Views
0
KogerMD
New Member

‎04-08-2024 10:54 AM

Did you ever resolve this issue? We are seeing the same behavior after our SSL certificate expired and we renewed/replaced it.

Message 3 of 11
256 Views
0
DavidFrohlich
New Member
In response to KogerMD

‎04-08-2024 11:37 AM

Yes, I resolved the issue by uninstalling PBIRS and then reinstalling it.

Message 4 of 11
250 Views
0
lbendlin
Super User
Super User

‎07-15-2023 05:38 PM

You can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues . If you have a Pro license you can consider raising a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi

Message 2 of 11
388 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All