Hello, we are trying to query EventstoreDB from a netcore project using the official nuget package but are receiving an error.

We are using a 3 node setup in a cluster on v24.6 of EventstoreDB.

Please see below for the error in Datadog:

HttpRequestException: The SSL connection could not be established, see inner exception. AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch", DebugException=“System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.”)
—> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
—> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

The connection string used is: esdb+discover://username:password@eventstore.example.com:2113

Config on one of the nodes:

Paths

Db: F:\ESDB\Data
Index: F:\ESDB\Index
Log: F:\ESDB\Logs

Certificates configuration

CertificateStoreLocation: “LocalMachine”
CertificateStoreName: “My”
CertificateSubjectName: “.example.com"
TrustedRootCertificateStoreLocation: “LocalMachine”
TrustedRootCertificateStoreName: “Root”
TrustedRootCertificateSubjectName: “Go Daddy Class 2 Certification Authority”
CertificateReservedNodeCommonName: ".example.com”

Network configuration

NodeIp: 10.2.3.27
HttpPort: 2113
ReplicationPort: 1112
EnableAtomPubOverHTTP: true

Projections configuration

RunProjections: None

Application config

SkipIndexVerify: true
SkipDbVerify: true
ClusterDns: eventstore.example.com
ReplicationIp: 10.2.3.27
NodePriority: 10

Cluster gossip

ClusterSize: 3
DiscoverViaDns: true

Hi, thanks for reaching out!

First off, I noticed that you’re using 24.6. Please note that release, while awesome, is not a long-term support release. As a side note, I would humbly suggest you upgrade to 24.10, which is long-term supported

That out of the way, may you please try connecting with the ?tlsVerifyCert:false option added to your connection string?

Also, may you please try connecting in your browser to https://10.2.3.27:2113/gossip and provide the output?

Thanks!

Thank you for your quick reply, please see below for the output:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<ClientClusterInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Members>
<ClientMemberInfo>
<InstanceId>0f715990-2cae-45a4-beca-92361f64047e</InstanceId>
<TimeStamp>2025-04-29T14:18:02.4372218Z</TimeStamp>
<State>Follower</State>
<IsAlive>true</IsAlive>
<InternalTcpIp>10.2.3.29</InternalTcpIp>
<InternalTcpPort>0</InternalTcpPort>
<InternalSecureTcpPort>1112</InternalSecureTcpPort>
<ExternalTcpIp>eventstore.example.com</ExternalTcpIp>
<ExternalTcpPort>0</ExternalTcpPort>
<ExternalSecureTcpPort>0</ExternalSecureTcpPort>
<HttpEndPointIp>eventstore.example.com</HttpEndPointIp>
<HttpEndPointPort>2113</HttpEndPointPort>
<LastCommitPosition>534634662</LastCommitPosition>
<WriterCheckpoint>534635042</WriterCheckpoint>
<ChaserCheckpoint>534635042</ChaserCheckpoint>
<EpochPosition>534634368</EpochPosition>
<EpochNumber>16</EpochNumber>
<EpochId>7ec6da73-0018-4ed1-839a-7af5d08a077c</EpochId>
<NodePriority>0</NodePriority>
<IsReadOnlyReplica>false</IsReadOnlyReplica>
<ESVersion>24.6.0</ESVersion>
</ClientMemberInfo>
<ClientMemberInfo>
<InstanceId>a96f3d17-574e-423a-b322-c30228c07934</InstanceId>
<TimeStamp>2025-04-29T14:18:03.3683025Z</TimeStamp>
<State>Leader</State>
<IsAlive>true</IsAlive>
<InternalTcpIp>10.2.3.28</InternalTcpIp>
<InternalTcpPort>0</InternalTcpPort>
<InternalSecureTcpPort>1112</InternalSecureTcpPort>
<ExternalTcpIp>eventstore.example.com</ExternalTcpIp>
<ExternalTcpPort>0</ExternalTcpPort>
<ExternalSecureTcpPort>0</ExternalSecureTcpPort>
<HttpEndPointIp>eventstore.example.com</HttpEndPointIp>
<HttpEndPointPort>2113</HttpEndPointPort>
<LastCommitPosition>534634662</LastCommitPosition>
<WriterCheckpoint>534635042</WriterCheckpoint>
<ChaserCheckpoint>534635042</ChaserCheckpoint>
<EpochPosition>534634368</EpochPosition>
<EpochNumber>16</EpochNumber>
<EpochId>7ec6da73-0018-4ed1-839a-7af5d08a077c</EpochId>
<NodePriority>0</NodePriority>
<IsReadOnlyReplica>false</IsReadOnlyReplica>
<ESVersion>24.6.0</ESVersion>
</ClientMemberInfo>
<ClientMemberInfo>
<InstanceId>d79ff4c2-2612-41cf-b2a8-87f528001de4</InstanceId>
<TimeStamp>2025-04-29T14:18:03.3743674Z</TimeStamp>
<State>Follower</State>
<IsAlive>true</IsAlive>
<InternalTcpIp>10.2.3.27</InternalTcpIp>
<InternalTcpPort>0</InternalTcpPort>
<InternalSecureTcpPort>1112</InternalSecureTcpPort>
<ExternalTcpIp>10.2.3.27</ExternalTcpIp>
<ExternalTcpPort>0</ExternalTcpPort>
<ExternalSecureTcpPort>0</ExternalSecureTcpPort>
<HttpEndPointIp>10.2.3.27</HttpEndPointIp>
<HttpEndPointPort>2113</HttpEndPointPort>
<LastCommitPosition>534634662</LastCommitPosition>
<WriterCheckpoint>534635042</WriterCheckpoint>
<ChaserCheckpoint>534635042</ChaserCheckpoint>
<EpochPosition>534634368</EpochPosition>
<EpochNumber>16</EpochNumber>
<EpochId>7ec6da73-0018-4ed1-839a-7af5d08a077c</EpochId>
<NodePriority>10</NodePriority>
<IsReadOnlyReplica>false</IsReadOnlyReplica>
<ESVersion>24.6.0</ESVersion>
</ClientMemberInfo>
</Members>
<ServerIp>10.2.3.27</ServerIp>
<ServerPort>2113</ServerPort>
</ClientClusterInfo>

We’ve updated to v24.10 now from v24.6

Thanks for the information! I think the issue is because the server is missing the AdvertiseHostToClientAs configuration parameter on the nodes, and a few others, required for certificates and DNS discovery. I would recommend checking out this blog form some detailed instructions on configuring Cluster DNS with Certificates. Please review and let me know how you get on!

It was indeed the AdvertiseHostToClientAs setting. Once changed to similar to the example below it is now working as expected.

AdvertiseHostToClientAs: es001.example.com

Thank you for your responses

Excellent, please don’t hesitate to reach out if you have any other issues at all!