This blog is about one of the few approaches for migrating the users & commerce customers from 9.0...
Sitecore – XDb unavailable error
Exception: System.Net.WebException Message: The request was aborted: Could not create SSL/TLS secure channel. Source: System at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
We were noticing xDb unavailable errors & looking into the log files we noticed an exception saying “The request was aborted: Could not create SSL/TLS secure channel”. This exception can be a result of xconnect certificate issues. We can have two issues in this case 1) Server certificate issue & 2) Client certificate issue.
To check if the issue is with the server certificate, we need to check if the connection between the sitecore & xConnect. To do this we need to request the xConnect instance using a browser, if the connection established is not secure we need to check & make sure that the server certificate that is used for HTTPS site binding has not expired. We also need to make sure that the Issue To property of the certificate matches the name of the host that is used.
For client side certificate, we need to check if the certificate thumbprint in the connection strings of all the sitecore XP roles matches the thumbprint of the certificate. For this we need to check the AppSettings.Config of the site & the automation engineer & processing engine ConnectionStrings.Config files. We need to check if the thumbprint from these files matches the thumbprint of the certificate in use. If the certificate is self signed, in case of local dev environments, we need to make sure that the sitecore xp roles allow invalid client certificates, to do this we need to add an entry in the web config file with key as “AllowInvalidClientCertificates” the value set to true. Along with the Xp roles in this case, the xconnect roles should be able to allow invalid client certificates, to do this we need to set “AllowInvalidClientCertificates” in the AppSettings.config files.
We also need to make sure that the users that run the XP & xConnect apps have the appropriate permissions to the certificate private keys. To do this we can go to “Manage private keys” from the corresponding certificate & check if the xconnect & xp role users are added in & also have the appropriate permissions. If not we can just add the users that run those applications to the list of usernames & assign permissions.