Skip to main content
  1. CloudM
  2. Migrate 4
  3. Errors & Troubleshooting
  4. Errors

Error: "Could not establish trust relationship for the SSL/TLS secure channel"

Updated

This article explains how to diagnose and resolve SSL/TLS certificate trust errors. This typically occurs when CloudM Migrate attempts to connect to an on-premises server like Microsoft Exchange.

 

1. Symptom

During a connection test or at the start of a migration, the process fails. The logs display the following error message:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

This indicates that the CloudM Migrate server does not trust the SSL certificate presented by the server it is trying to connect to.

 

2. Cause

This error occurs when the SSL certificate on the source or destination server (e.g., an on-premises Exchange Server) is not considered valid by the CloudM Migrate machine. This happens for several common reasons:

  • Self-Signed Certificate: The server is using a self-signed certificate, which is not automatically trusted by other machines.

  • Untrusted Certificate Authority (CA): The certificate was issued by a private, internal Certificate Authority, and the migration server does not have that CA's root certificate in its trust store.

  • Certificate Name Mismatch: The name on the certificate (e.g., mail.company.local) does not match the server address that CloudM Migrate is configured to connect to (e.g., mail.company.com).

  • Expired Certificate: The server's SSL certificate has expired.

 

3. Resolution

There are three ways to resolve this issue, listed in order of best practice from most secure to least secure.

 

Solution 1: Install a Valid SSL Certificate (Highly Recommended)

The most secure and robust solution is to fix the issue on the server presenting the faulty certificate.

  1. Obtain a valid SSL certificate from a trusted public Certificate Authority (e.g., Let's Encrypt, DigiCert, GoDaddy).

  2. Install this certificate on your server (e.g., your Microsoft Exchange CAS server).

  3. Ensure that CloudM Migrate is connecting to the server using the address that matches the "Common Name" (CN) or a "Subject Alternative Name" (SAN) on the certificate.

This method ensures your connection is secure and adheres to IT security best practices.

 

Solution 2: Trust the Internal Certificate Authority

If your server uses a certificate from a private, internal Certificate Authority (CA), you can resolve the error by configuring the CloudM Migrate server to trust that CA.

  1. From your internal CA, export the Root CA Certificate.

  2. On the CloudM Migrate server, import this Root CA Certificate into the "Trusted Root Certification Authorities" store for the Local Computer.

 

Solution 3: Disable Certificate Validation in CloudM Migrate (Workaround)

This option should only be used as a temporary measure or in isolated test environments (e.g., a lab with a self-signed certificate). It works by telling CloudM Migrate to ignore SSL trust errors and proceed with the connection.

Security Warning: Disabling certificate validation exposes the connection to potential man-in-the-middle attacks, as the tool will no longer verify the identity of the server it is connecting to. Proceed with caution.

  1. In your CloudM Migrate project configuration, navigate to the Advanced Settings > System section.

  2. Set the Validate SSL Certificates option to False.

  3. Save the configuration and re-run the migration.

Was this article helpful?
0 out of 0 found this helpful