[Mono-list] Can not add a SSL web reference using MONO 2.6.7

[Sebastien Pouliot]

On Fri, 2011-02-11 at 12:39 -0800, diegocairone wrote:
> I am trying to create a proxy for a Web Servicie on a SSL WebSite. To do
> that, i am using the utility "wsdl" or the monodevelop IDE.
> 
> The URL of the Web Service is:
> "https://wsaahomo.afip.gov.ar/ws/services/LoginCms?wsdl" and when I add the
> web reference on Monodevelop IDE or in a console using the utility "wsdl" I
> gets the next error message: "Error getting response stream (Write: The
> authentication or decryption has failed.): SendFailure"
> 
> Before doing this, I have imported all roots certificates from Mozilla
> excecuting this: "sudo mozroots --import --ask-remove".

That's a bad idea. You're mixing two things. There are a "current user"
and a "local machine" certificate stores.

When you do a "mozroots --import" then you are, by default, using the
current user store - which is generally enough (unless your code runs
under a different account, like apache/mod_mono/ASP.NET).

If you want to import in the local machine store then you need to be
able to write to /usr/share, that's where sudo is helpful. In this case
you'll do a "sudo mozroots --machine --import"

But what you did is a mix of both resulting in importing the
certificates inside the 'root' user store. That will never be available
to you (unless you run your apps as 'root').

> Also, I did: "certmgr -ssl https://wsaahomo.afip.gov.ar/" and copied that
> certificates to the stores: "AddressBook", "CA" and "Trust" in
> "~/.config/.mono/certs".

Most SSL server do not send root certificates as part of the X.509 chain
(that's covered in the FAQ [1] where it says "intermediate" certificate
will be copied). So this will not add anything into Trust. If you
manually copied stuff into Trust then you'll likely get a lot of
problems -> delete them.

Sebastien

[1] please (re)read http://www.mono-project.com/FAQ:_Security