I ran in to a bug today in regards to a ClickOnce app I've developed for a client. I inherited a website that was partially completed when I has hired on by my client. I developed a ClickOnce app for them (actually two different apps) along with completing and enhancing the website. Portions of the website run with an SSL Certificate (through HTTPS), the certificate was purchased long before I came into the picture.
The ClickOnce client app is launched from within a secured area of the website. Everything worked fine, until someone browsed in through a different sub-domain. Specifically the Certificate is for www.blahblahblah.com where as the client where we received an error came in through http://blahblahblah.com (without the www). The certificate is not a wildcard certificate so if I had browsed to that page I would have recieved a Security Alert message box with the message:
The name on the security certificate is invalid or does not match the name of the site.
Well while browsing it's simple enough to click yes to proceed, however you don't get that option and are simply presented with the Cannot Start Application dialog.
Clicking on Details gives a ton of information on the exception that occurred. Looking down I see the following:
--- Inner Exception ---
- The remote certificate is invalid according to the validation procedure.
So I can see that this is related to the Security Alert given above. After doing some digging, it appears that this is an acknowledged bug with .NET 2.0. While this isn't quite the same scenario that I ran into, it looks to be similar enough to possibly be the same cause.
I'm not that versed on SSL and security issues in 2.0, so my speculation may be incorrect. The client was happy enough to be sure to include the www and I can always redirect so it wasn't that big of an issue, but thought it was interesting enough to share.