Thoughts (based on pain in the past):

想法（基于过去的痛苦）：

• do you have DNS and line-of-sight to the server?
• are you using the correct name from the certificate?
• is the certificate still valid?
• is a badly configured load balancer messing things up?
• does the new servermachine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP?
• is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL?
• related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities)
• is the server's machine-level proxy set correctly? (which different to the user's proxy); see proxycfg for XP / 2003 (not sure about Vista etc)

• 你有 DNS 和服务器的视线吗？
• 您是否使用了证书中的正确名称？
• 证书还有效吗？
• 配置不当的负载平衡器是否会搞砸？
• 新服务器机器的时钟设置是否正确（即 UTC 时间是正确的 [忽略本地时间，它在很大程度上无关紧要]） - 这对 WCF 肯定很重要，所以可能会影响常规 SOAP？
• 是否存在证书信任链问题？如果你从服务器浏览到soap服务，你能得到SSL吗？
• 与上述相关 - 证书是否已安装到正确的位置？（您可能需要受信任的根证书颁发机构的副本）
• 服务器的机器级代理设置是否正确？（与用户的代理不同）；请参阅 XP / 2003 的 proxycfg（不确定 Vista 等）

Microsoft's SSL Diagnostics Toolmay be able to help identify the issue.

Microsoft 的SSL 诊断工具或许能够帮助识别问题。

UPDATEthe link has been fixed now.

更新链接现已修复。

If you are using Windows 2003, you can try this:

如果你使用的是 Windows 2003，你可以试试这个：

Open Microsoft Management Console (Start --> Run --> mmc.exe);

Choose File --> Add/Remove Snap-in;

In the Standalone tab, choose Add;

Choose the Certificates snap-in, and click Add;

In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard;

Close the Add/Remove Snap-in dialog;

Navigate to Certificates (Local Computer) and choose a store to import:

If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities;

If you have the certificate for the server itself, choose Other People

Right-click the store and choose All Tasks --> Import

Follow the wizard and provide the certificate file you have;

After that, simply restart IIS and try calling the web service again.

打开 Microsoft 管理控制台（开始 --> 运行 --> mmc.exe）；

选择文件 --> 添加/删除管理单元；

在独立选项卡中，选择添加；

选择证书管理单元，然后单击添加；

在向导中，选择计算机帐户，然后选择本地计算机。按完成结束向导；

关闭添加/删除管理单元对话框；

导航到证书（本地计算机）并选择要导入的商店：

如果您拥有颁发证书的公司的 Root CA 证书，请选择 Trusted Root Certification Authorities；

如果您有服务器本身的证书，请选择其他人

右键单击商店并选择所有任务--> 导入

按照向导并提供您拥有的证书文件；

之后，只需重新启动 IIS 并尝试再次调用 Web 服务。

Reference: http://www.outsystems.com/NetworkForums/ViewTopic.aspx?Topic=Web-Services:-Could-not-establish-trust-relationship-for-the-SSL/TLS-...

参考：http: //www.outsystems.com/NetworkForums/ViewTopic.aspx? Topic= Web-Services: -Could-not-establish-trust-relationship-for-the- SSL/ TLS-...

The following snippets will fix the case where there is something wrong with the SSL certificate on the server you are calling. For example, it may be self-signed or the host name between the certificate and the server may not match.

以下代码段将解决您正在调用的服务器上的 SSL 证书有问题的情况。例如，它可能是自签名的，或者证书和服务器之间的主机名可能不匹配。

This is dangerousif you are calling a server outside of your direct control, since you can no longer be as sure that you are talking to the server you think you're connected to. However, if you are dealing with internal servers and getting a "correct" certificate is not practical, use the following to tell the web service to ignore the certificate problems and bravely soldier on.

如果您在直接控制之外调用服务器，这很危险，因为您无法再确定您正在与您认为已连接的服务器通话。但是，如果您正在处理内部服务器并且获得“正确”的证书不切实际，请使用以下命令告诉 Web 服务忽略证书问题并勇敢地坚持下去。

The first two use lambda expressions, the third uses regular code. The first accepts any certificate. The last two at least check that the host name in the certificate is the one you expect.
... hope you find it helpful

前两个使用 lambda 表达式，第三个使用常规代码。第一个接受任何证书。最后两个至少检查证书中的主机名是否是您期望的。
...希望你觉得它有帮助

//Trust all certificates
System.Net.ServicePointManager.ServerCertificateValidationCallback =
    ((sender, certificate, chain, sslPolicyErrors) => true);

// trust sender
System.Net.ServicePointManager.ServerCertificateValidationCallback
                = ((sender, cert, chain, errors) => cert.Subject.Contains("YourServerName"));

// validate cert by calling a function
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);

// callback used to validate the certificate in an SSL conversation
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
    bool result = cert.Subject.Contains("YourServerName");
    return result;
}

Luke wrote a pretty good article about this .. pretty straight forward .. give this a try

卢克写了一篇关于这个的非常好的文章.. 非常直接.. 试试看

Luke's Solution

卢克的解决方案

Reason (quote from his article (minus cursing)) ".. The problem with the code above is that it doesn't work if your certificate is not valid. Why would I be posting to a web page with and invalid SSL certificate? Because I'm cheap and I didn't feel like paying Verisign or one of the other **-*s for a cert to my test box so I self signed it. When I sent the request I got a lovely exception thrown at me:

原因（引自他的文章（减去诅咒））“.. 上面代码的问题是，如果您的证书无效，它就不起作用。为什么我要发布到带有无效 SSL 证书的网页？因为我很便宜，我不想支付 Verisign 或其他**-* s 以获得我的测试盒的证书，所以我自己签署了它。当我发送请求时，我收到了一个可爱的异常：

System.Net.WebExceptionThe underlying connection was closed. Could not establish trust relationship with remote server.

System.Net.WebException基础连接已关闭。无法与远程服务器建立信任关系。

I don't know about you, but to me that exception looked like something that would be caused by a silly mistake in my code that was causing the POST to fail. So I kept searching, and tweaking and doing all kinds of weird things. Only after I googled the ***n thing I found out that the default behavior after encountering an invalid SSL cert is to throw this very exception. .."

我不了解你，但对我来说，这个异常看起来像是由我的代码中的一个愚蠢的错误引起的，导致 POST 失败。所以我一直在寻找、调整和做各种奇怪的事情。只有在我搜索了 ***n 之后，我才发现遇到无效 SSL 证书后的默认行为是抛出这个异常。..”

I just encountered this issue. My resolution was to update the system time by manually syncing to the time servers. To do this you can:

我刚遇到这个问题。我的解决方案是通过手动同步到时间服务器来更新系统时间。为此，您可以：

• Right-click the clock in the task bar
• Select Adjust Date/Time
• Select the Internet Timetab
• Click Change Settings
• Select Update Now

• 右键单击任务栏中的时钟
• 选择 Adjust Date/Time
• 选择Internet Time选项卡
• 点击 Change Settings
• 选择 Update Now

In my case this was syncing incorrectly so I had to click it several times before it updated correctly. If it continues to update incorrectly you can even try using a different time server from the server drop-down.

就我而言，这是同步不正确，所以我必须多次单击它才能正确更新。如果它继续错误地更新，您甚至可以尝试从服务器下拉列表中使用不同的时间服务器。

I personally like the following solution the most:

我个人最喜欢以下解决方案：

using System.Security.Cryptography.X509Certificates;
using System.Net.Security;

... then before you do request getting the error, do the following

...然后在您请求获取错误之前，请执行以下操作

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };

Found this after consulting Luke's Solution

在咨询了Luke 的解决方案后发现了这个

The very simple "catch all" solution is this:

非常简单的“一网打尽”解决方案是这样的：

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

The solution from sebastian-castaldi is a bit more detailed.

sebastian-castaldi 的解决方案更详细一些。

I had this error running against a webserver with url like:

我在使用以下网址的网络服务器上运行此错误：

a.b.domain.com

but there was no certificate for it, so I got a DNS called

但是没有证书，所以我得到了一个名为的 DNS

a_b.domain.com

Just putting hint to this solution here since this came up top in google.

只是在这里提示这个解决方案，因为它在谷歌中名列前茅。

In my case I was trying to test SSLin my Visual Studio environment using IIS 7.

就我而言，我试图在我的 Visual Studio 环境中使用 IIS 7测试SSL。

This is what I ended up doing to get it to work:

这就是我最终为了让它工作而做的事情：

• Under my site in the 'Bindings...' section on the right in IIS, I had to add the 'https' binding to port 443 and select "IIS Express Developement Certificate".

• Under my site in the 'Advanced Settings...' section on the right I had to change the 'Enabled Protocols' from "http" to "https".

• Under the 'SSL Settings' icon I selected 'Accept' for client certificates.

• Then I had to recycle the app pool.

• I also had to import the local host certificate into my personal store using mmc.exe.

• 在 IIS 右侧“绑定...”部分的我的站点下，我必须将“https”绑定添加到端口 443 并选择“IIS Express 开发证书”。

• 在我的站点右侧的“高级设置...”部分，我必须将“启用的协议”从“http”更改为“https”。

• 在“SSL 设置”图标下，我为客户端证书选择了“接受”。

• 然后我不得不回收应用程序池。

• 我还必须使用 mmc.exe 将本地主机证书导入到我的个人存储中。

My web.configfile was already configured correctly, so after I got all the above sorted out, I was able to continue my testing.

我的web.config文件已经正确配置，所以在我整理完上述所有内容后，我能够继续我的测试。