Sometimes we need to call web services from a plugin or a custom workflow activity. For CRM Online it means calling it from the sandbox and there are certain restrictions that apply to the network access.
These restrictions are clear and well understood, however, if you call service over https protocol, one addition restriction applies: the certificate of the site you’re connecting to must be issued by a trusted authority.
Not all authorities are equal and the fact that your client browser trusts a particular authority, does not mean that CRM server will follow the suit. If you try to access a web service over https using HttpClient (or any other client), and certificate issuing authority is not trusted, you will receive a generic error with the exception details containing some particulars:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
What certificates seems to be fine on the client side but may cause some drama when accessed in CRM Online? Those issued by (what turns out to be) dodgy authorities of WoSign and StartCom (yours truly was actually a fan of StartCom until they got into the dubious partnership with WoSign), and deservingly so. Unfortunately, certificates issued by new and cool kid on the block, Let’s Encrypt, also got caught, which is not cool at all.
Interestingly enough, all of these certificates are just fine on CRM On-premises (hosted on Windows 2012 R2 server).
Bottom line: if you are using a https web service in a plugin or a custom workflow activity in CRM Online, test it thoroughly.