Workflow manager not trusting root certificate

Problem

Error Message

Timestamp: 20:36:01.162

Message: Error completing provisioning job for store 'Store'. Status: OK

Workflow token:  
{  
    Workflow id: fcdf24e0-451e-49e0-9253-d433b30a7d9a  
    Bookmark name: c4e36fb7-2dda-4357-beae-08afe3f41c4e  
}  
Result:  
[Name: Enabled, Value: True]  
[Name: ZPErrorCode, Value: 0]  
[Name: ObjectGUID, Value: 8d1a409f-a64f-4320-9229-42fc550c6e25]  
[Name: ZPActivityStatus, Value: Hämtat användarinformation.]

. System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing
'[https://zervicepoint.dev.local:9355/ZervicePoint/$STS/Windows/](https://tcms006t.ad.toolscommon.com:9355/ZervicePoint/$STS/Windows/)'.
Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing
'[https://](https://tcms006t.ad.toolscommon.com:9355/ZervicePoint/$STS/Windows/)[zervicepoint.dev.local](https://tcms006t.ad.toolscommon.com:9355/ZervicePoint/$STS/Windows/)[:9355/ZervicePoint/$STS/Windows/](https://tcms006t.ad.toolscommon.com:9355/ZervicePoint/$STS/Windows/)'.
Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.  
    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)  
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)  
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)  
    at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)  
    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)  
    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)  
    at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)  
    at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)  
    at System.Net.ConnectStream.WriteHeaders(Boolean async)  
    --- End of inner exception stack trace ---  
    at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)  
    at System.Net.HttpWebRequest.GetRequestStream()  
    at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)  
    --- End of inner exception stack trace ---  
    at Microsoft.ServiceBus.TokenProviderHelper.ThrowException(Uri requestUri, WebException exception)  
    at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)  
    at Microsoft.ServiceBus.WindowsTokenProvider.OnBeginGetWebToken(String appliesTo, String action, TimeSpan timeout, AsyncCallback callback, Object state)  
    at Microsoft.ServiceBus.TokenProvider.GetWebTokenAsyncResult..ctor(TokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)  
    at Microsoft.ServiceBus.TokenProvider.BeginGetWebToken(String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)  
    at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)  
    --- End of inner exception stack trace ---

    Server stack trace:  
    at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)  
    at Microsoft.ServiceBus.Messaging.HttpWebRequestExtensions.AddAuthorizationHeader(HttpWebRequest request, ITokenProvider tokenProvider, Uri baseAddress, String action)  
    at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAsyncResult`1.<GetAsyncSteps>d__11.MoveNext()  
    at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state)  
    at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.Start()

    Exception rethrown at [0]:  
    at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)  
    at Microsoft.ServiceBus.NamespaceManager.OnEndQueueExists(IAsyncResult result)  
    at Zipper.ZervicePoint.ProcessSystem.Engine.Queues.ServiceBusQueue.EnsureQueue(String queueName)  
    at Zipper.ZervicePoint.ProcessSystem.Engine.Queues.ServiceBusQueue.get_Queue()  
    at Zipper.ZervicePoint.ProcessSystem.Engine.Queues.ServiceBusQueue.SendMessage(IMessage message)  
    at Zipper.ZervicePoint.ProcessSystem.Service.Services.OrderService.ResumeServiceOrder(Guid workflowId, String bookmark, Dictionary`2 data, String storeName, Boolean hasFailed, String errorMessage)  
    at Zipper.ZervicePoint.ProcessSystem.Service.WebServices.ProvisioningServiceFacade.CompleteProvisioningJob(CompletedProvisioningJobData completedJob, String storeName)  
Category: All Events  
Priority: -1  
EventId: 66  
Severity: Error  
Title:  
Machine: TCMS002T  
Application Domain:
/LM/W3SVC/4/ROOT/ProcessSystem-5-131317471714586492  
Process Id: 2896  
Process Name: c:\\windows\\system32\\inetsrv\\w3wp.exe  
Win32 Thread Id: 1972  
Thread Name:  
Extended Properties:

Solution

Make sure all workflow manager hosts trust the certificate chain for certificate AppServerGeneratedSBCA

  1. Locate the workflow manager with certificate AppServerGeneratedSBCA
  2. Export the certificates (AppServerGeneratedSBCA and Workflow root certificate), preferably by using the following guide https://msdn.microsoft.com/en-us/library/jj192993.aspx
  3. For each additional workflow manager server import the exported certificates to Trusted Root Certification Authority