Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues **hosted in Azure** painlessly. However, on Windows Server 2008 R2 Standard SP1, it looks like Windows can not trust the involved certificates and an exception is thrown.
The line that throws :
The X.509 certificate CN=servicebus.windows.net is not in the trusted
people store. The X.509 certificate CN=servicebus.windows.net chain
building failed. The certificate that was used has a trust chain that
cannot be verified. Replace the certificate or change the
certificateValidationMode. A certificate chain could not be built to a
trusted root authority.
The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :
Intermediate Certification Authorities > Microsoft Internet Authority (Issued by Baltimore CyberTrust Root)
Intermediate Certification Authorities > MSIT Machine Auth CA 2 (Issued by Microsoft Internet Authority)
The questions :
1. Where does the certificates come from?
2. Why are they missing from the server?
3. How to fix this issue?
Possible trails :
1. Install Azure SDK 2.3 for Visual Studio 2013 on the server
2. Install all Windows Updates on the server
I tried :
CAPI2 Verify Chain Policy event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5642</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}" />
<Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />
<Status chainIndex="0" elementIndex="-1" />
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{F8DE43DD-9E68-461E-8A2B-17215BA87E0C}" SeqNumber="1" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>
CAPI2 Build Chain event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5641</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<ValidationTime>2014-06-11T19:57:38.998Z</ValidationTime>
<AdditionalStore />
<ExtendedKeyUsage />
<Flags value="0" />
<ChainEngineInfo context="machine" />
<AdditionalInfo>
<NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
</AdditionalInfo>
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}">
<TrustStatus>
<ErrorStatus value="10000" CERT_TRUST_IS_PARTIAL_CHAIN="true" />
<InfoStatus value="0" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ApplicationUsage>
<IssuanceUsage />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="11" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
CAPI2 X509 Objects event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>90</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>90</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000200</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5640</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<X509Objects>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net">
<Subject>
<CN>servicebus.windows.net</CN>
</Subject>
<SubjectKeyID computed="false" hash="BD41618C22D8DBEE9D172C12A2C549D61711ED75" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<Issuer>
<CN>MSIT Machine Auth CA 2</CN>
<DC>redmond</DC>
<DC>corp</DC>
<DC>microsoft</DC>
<DC>com</DC>
</Issuer>
<SerialNumber>70DB015B000100008C58</SerialNumber>
<NotBefore>2013-07-27T03:31:06Z</NotBefore>
<NotAfter>2015-07-27T03:31:06Z</NotAfter>
<Extensions>
<KeyUsage value="B0" CERT_DIGITAL_SIGNATURE_KEY_USAGE="true" CERT_KEY_ENCIPHERMENT_KEY_USAGE="true" CERT_DATA_ENCIPHERMENT_KEY_USAGE="true" />
<ExtendedKeyUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ExtendedKeyUsage>
<SubjectAltName>
<DNSName>*.servicebus.windows.net</DNSName>
<DNSName>servicebus.windows.net</DNSName>
</SubjectAltName>
<AuthorityKeyIdentifier>
<KeyID hash="EBDB115EF8099ED8D6629CFD629DE3844A28E127" />
</AuthorityKeyIdentifier>
</Extensions>
</Certificate>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="10" />
</X509Objects>
</UserData>
</Event>
The line that throws :
// Send the message await queueclient.SendAsync(message);Exception message :
The X.509 certificate CN=servicebus.windows.net is not in the trusted
people store. The X.509 certificate CN=servicebus.windows.net chain
building failed. The certificate that was used has a trust chain that
cannot be verified. Replace the certificate or change the
certificateValidationMode. A certificate chain could not be built to a
trusted root authority.
The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :
Intermediate Certification Authorities > Microsoft Internet Authority (Issued by Baltimore CyberTrust Root)
Intermediate Certification Authorities > MSIT Machine Auth CA 2 (Issued by Microsoft Internet Authority)
The questions :
1. Where does the certificates come from?
2. Why are they missing from the server?
3. How to fix this issue?
Possible trails :
1. Install Azure SDK 2.3 for Visual Studio 2013 on the server
2. Install all Windows Updates on the server
I tried :
<appSettings><add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/></appSettings>---
CAPI2 Verify Chain Policy event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5642</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}" />
<Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />
<Status chainIndex="0" elementIndex="-1" />
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{F8DE43DD-9E68-461E-8A2B-17215BA87E0C}" SeqNumber="1" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>
CAPI2 Build Chain event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5641</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<ValidationTime>2014-06-11T19:57:38.998Z</ValidationTime>
<AdditionalStore />
<ExtendedKeyUsage />
<Flags value="0" />
<ChainEngineInfo context="machine" />
<AdditionalInfo>
<NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
</AdditionalInfo>
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}">
<TrustStatus>
<ErrorStatus value="10000" CERT_TRUST_IS_PARTIAL_CHAIN="true" />
<InfoStatus value="0" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ApplicationUsage>
<IssuanceUsage />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="11" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
CAPI2 X509 Objects event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>90</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>90</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000200</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5640</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<X509Objects>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net">
<Subject>
<CN>servicebus.windows.net</CN>
</Subject>
<SubjectKeyID computed="false" hash="BD41618C22D8DBEE9D172C12A2C549D61711ED75" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<Issuer>
<CN>MSIT Machine Auth CA 2</CN>
<DC>redmond</DC>
<DC>corp</DC>
<DC>microsoft</DC>
<DC>com</DC>
</Issuer>
<SerialNumber>70DB015B000100008C58</SerialNumber>
<NotBefore>2013-07-27T03:31:06Z</NotBefore>
<NotAfter>2015-07-27T03:31:06Z</NotAfter>
<Extensions>
<KeyUsage value="B0" CERT_DIGITAL_SIGNATURE_KEY_USAGE="true" CERT_KEY_ENCIPHERMENT_KEY_USAGE="true" CERT_DATA_ENCIPHERMENT_KEY_USAGE="true" />
<ExtendedKeyUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ExtendedKeyUsage>
<SubjectAltName>
<DNSName>*.servicebus.windows.net</DNSName>
<DNSName>servicebus.windows.net</DNSName>
</SubjectAltName>
<AuthorityKeyIdentifier>
<KeyID hash="EBDB115EF8099ED8D6629CFD629DE3844A28E127" />
</AuthorityKeyIdentifier>
</Extensions>
</Certificate>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="10" />
</X509Objects>
</UserData>
</Event>