Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
DavidFrohlich
New Member

Problem after SSL certificate expired

On one of our PBIRS servers, the SSL certificate expired. We installed a new certificate, switched the bindings for Web Portal & Web Service to point to the new certificate and removed the old one, but now we are encountering problems when accessing any report via the portal.

 

This is the error message:

 

Capture_PBIRS.PNG

 

In our log file we have this message, corresponding to when someone clicks a report:

 

 

2023-07-12 14:51:36.7074|ERROR|12|OData exception occurred: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.ReportingServices.Portal.ODataWebApi.Utils.PbixReportHelper.ShouldReShred(PowerBIReport entity, Uri basePortalUrl, ILogger logger, IPrincipal userPrincipal, String reportServerHostName)
   at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetItem(String key)
   at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetAllowedActions(String Id)
   at Microsoft.ReportingServices.Portal.ODataWebApi.V2.Controllers.PowerBIReportsController.GetAllowedActions(String Id)
   at lambda_method(Closure , Object , Object[] )
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters)
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext().| RequestID = s_34e542e5-abf2-4042-984b-76dedbf4432c 

 

 

We were running the Jan 2023 version of PBIRS, and tried upgrading to May 2023 to resolve, but the problem remains.

 

Any suggestions for fixing this are appreciated.

 

 

10 REPLIES 10
ChrisMuthmann
Resolver II
Resolver II

Try to remove the following registry if you have problems during startup key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443

Then you can proceed with certificate binding.
(BTW my latest posts seems to be deleted, so I try his one with a different wording)

ChrisMuthmann
Resolver II
Resolver II

My steps are a little different:

  1. Remove the bindings to the expired certificate
  2. Restart the server
  3. Create a new certificate
  4. Add the bindings to the new certificate (this will restart reportserver implicitly)

To repair a damaged installation this should help:

https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-ssl-connections-on-a-nat...

If you remove TLS bindings for Reporting Services using the Report Server Configuration Manager, TLS may no longer work for Web sites on a server that is running Internet Information Services (IIS) or on another HTTP.SYS server. Reporting Services Configuration Manager removes the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 When this registry key is removed, the TLS binding for IIS is also removed. 

johnbasha33
Solution Sage
Solution Sage

@DavidFrohlich 

The error message indicates that there's an issue with the SSL/TLS certificate validation when establishing the connection to the PBIRS server. This can happen if the new SSL certificate is not trusted or if there are certificate chain issues.

Here are some steps you can take to troubleshoot and resolve the issue:

  1. Verify SSL Certificate Installation: Double-check that the new SSL certificate is installed correctly on the PBIRS server. Ensure that the certificate is valid, not expired, and matches the server's hostname.

  2. Check Certificate Chain: Make sure that the SSL certificate chain is configured correctly. The certificate chain should include all necessary intermediate and root certificates to establish trust. You can use tools like OpenSSL to inspect the certificate chain.

  3. Ensure Proper Binding: Verify that the new SSL certificate is properly bound to the PBIRS website in IIS. Check the bindings for both the Web Portal and Web Service endpoints to ensure they are using the correct SSL certificate.

  4. Update Trusted Root Certificates: Ensure that the client machine accessing the PBIRS server has the updated trusted root certificates. Sometimes, outdated root certificates can cause SSL/TLS validation errors. You may need to update the root certificates on the client machine.

  5. Check Firewall and Proxy Settings: Make sure that there are no firewall or proxy settings blocking the SSL/TLS connection between the client and the PBIRS server. Ensure that the necessary ports (e.g., 443 for HTTPS) are open and accessible.

  6. Review TLS Configuration: Verify the TLS configuration on the PBIRS server and client machines. Ensure that both are configured to use a compatible version of TLS (e.g., TLS 1.2) and that any deprecated versions (e.g., SSL 3.0) are disabled.

  7. Enable Detailed Error Logging: Increase the logging level for PBIRS to capture more detailed error messages. This can help identify the specific cause of the SSL/TLS validation error.

  8. Consult IT Security: If you're still unable to resolve the issue, consider consulting your organization's IT security team or a qualified SSL/TLS certificate expert for further assistance. They may be able to provide additional insights or guidance on resolving certificate-related issues.

    Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

Hi, I have verified the SSL certificate, certificate chain, and the binding. The issue that I am running into is only occurring with Power BI reports. I am able to open SSRS reports/etc without any issues. It's also only occurring when viewing the site using HTTPS. If I use HTTP, I am able to open Power BI reports with no issues. I tested accessing both the /Reports and /ReportServer URLs and I can see that they both use the new SSL certificate. It looks like the service that PBIRS uses to display the Power BI reports is still holding on to the old (expired) certificate for some reason. 

have you restarted that service/server ?

Yes, I did restart both the service and server multiple times. I even uninstalled, rebooted the server, re-installed and still ran into the same issue. I have since managed to resolve the issue, although I'm not sure what the fix exactly was. I was trying a few things and I added a host header on the HTTP binding. I'm not sure why exactly that would have changed anything, but since I did that, I no longer get the error that I was getting before (The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.)

KogerMD
New Member

Did you ever resolve this issue? We are seeing the same behavior after our SSL certificate expired and we renewed/replaced it.

Yes, I resolved the issue by uninstalling PBIRS and then reinstalling it.

lbendlin
Super User
Super User

You can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues . If you have a Pro license you can consider raising a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi

Helpful resources

Announcements
July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

July Newsletter

Fabric Community Update - July 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors