-
Title
RSTS configuration fails with SSL/TLS trust error when using default port 443 -
Description
When configuring RSTS in Active Roles, Configuration Center may fail with the following error:
"Could not retrieve an access token for RSTS API."
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
"The remote certificate is invalid according to the validation procedure." -
Cause
RSTS requires a valid HTTPS/TLS certificate to already be assigned to IIS/HTTP.SYS on the port being used.
When using the default port 443, RSTS uses the existing certificate binding. The Configuration Center wizard does not prompt for a separate HTTPS/TLS certificate on port 443. The certificate selected in the wizard is for RSTS/token-signing purposes.
If the certificate bound to port 443 is invalid, untrusted, expired, or does not match the hostname, RSTS API calls may fail with SSL/TLS trust errors.
-
Resolution
1- Verify the certificate currently bound to port 443:
netsh http show sslcert ipport=0.0.0.0:443
2- Confirm that the certificate is valid, trusted, and matches the hostname used to access RSTS.3- If needed, replace the binding with a valid certificate:
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=<valid_certificate_thumbprint> certstorename=MY appid=<existing_appid>
4- After updating the binding, retry the RSTS configuration
Note:
If RSTS is configured on a non-default port, the wizard may allow certificate selection for that port.