SSL Connection fails after update to version 25 (25.0.23364.25412)

[martin-ixzal-com]

1. Describe the bug
   HttpClient call fails with: "The SSL connection could not be established; the remote certificate is invalid because of errors in the certificate chain: UntrustedRoot, RevocationStatusUnknown, OfflineRevocation" in version 25, SaaS environment. In older versions and Docker (https://bcartifacts.azureedge.net/sandbox/25.0.23364.25738/nl), the same call works without problems.

2. To Reproduce
   var
   Client: HttpClient;
   ...
   Client.Clear();
   Client.AddCertificate(Certificate1Base64, Certificate1PassPhrase);

    clear(ResponseMsg);
    if (NOT Client.Send(RequestMsg, ResponseMsg)) then
        Error(GLB_MSG_ERROR, 'Client.Get', GetLastErrorText(),'');
   

The certificate used is the "PKI-Overheid certificate" (https://www.pki-overheid-certificaat.nl/certificaten/), which is used to authenticate Dutch government APIs.

3. Expected behavior
   The HttpClient call succeeds.

4. Actual behavior
   The HttpClient call fails with the following GetLastErrorText():
   "The SSL connection could not be established, see inner exception. The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot, RevocationStatusUnknown, OfflineRevocation"

5. Versions:

• AL Language: V14
• Visual Studio Code:
• Business Central: 25.0.23364.25412 (SaaS)
• List of Visual Studio Code extensions that you have installed:
• Operating System:
  • [ *] Windows
  • Linux
  • MacOS

Final Checklist

Please remember to do the following:

• [ X] Search the issue repository to ensure you are reporting a new issue

• [ X] Reproduce the issue after disabling all extensions except the AL Language extension

• [ X] Simplify your code around the issue to better isolate the problem

[ajkauffmann]

The error message is about the remote certificate. That means it is not about the client certificate but about the SSL certificate used by the endpoint https://api.mijn.overheid.nl.

The certificate used by this site is issued by a certificate authority that is not in the trusted store. See also this report: https://www.ssllabs.com/ssltest/analyze.html?d=api.mijn.overheid.nl

In BC v25 the default behavior of the HttpClient for certificate validation has changed. I couldn't find any documentation, but Stefano Demiliani blogged about it here: https://demiliani.com/2024/09/23/dynamics-365-business-central-httpclient-and-remote-certificate-validation-future-changes/

In my opinion, this change should have been documented properly because it is a breaking change (maybe I didn't search good enough?). And we should get an option to bypass the validation check or, even better, provide the root certificate to the HttpClient as a custom trusted root certificate.

[StefanMaron]

I have the same issue, currently blocking the entire project development if we dont get a way to provide the root certificate(s)

[StefanSosic]

I have also same issue.
This is also breaking focalizations/einvoices in most countries...

In Serbia simply pulling configuration or allowed tax-rates doesn't work anymore:
https://api.suf.purs.gov.rs/api/v3/tax-rates
https://api.suf.purs.gov.rs/api/v3/configuration

Government site...

[ajkauffmann]

It is working again in v25.0 and v25.1, in both production and sandbox environments.
Did some research and wrote a blog post: https://www.kauffmann.nl/2024/12/02/httpclient-and-certificate-validation-in-business-central-v25/