When connecting to our load-balanced Service Bus instance via AMQP, we cannot send messages to a queue or topic.
We have a Windows Server 2012 R2, running in a VM on Hyper-V. The server is part of a NLB cluster (which currently only contains this single host). On the server, we installed Service Bus for Windows Server 1.1 and configured the farm, host and namespace using the following PowerShell script:
$machineName = 'server' $domainName = 'sb.department.company.com' # this DNS name is linked to the virtual IP address of the NLB cluster $namespace = 'namespace' New-SBFarm -SBFarmDBConnectionString "Data Source=$machineName;Integrated Security=True" -FarmDns $domainName -EncryptionCertificateThumbprint $certThumbprint -FarmCertificateThumbprint $certThumbprint -RunAsAccount $accountName Add-SBHost -SBFarmDBConnectionString "Data Source=$machineName;Integrated Security=True" -EnableFirewallRules $true -RunAsPassword $securePassword -ExternalBrokerUrl "sb://$domainName" New-SBNamespace -Name $namespace -AddressingScheme 'Path' -ManageUsers $userGroupName
We use a certificate generated using OpenSSL. Here's the chain of certificates we use:
- Company CA
- Signature algorithm: sha256RSA
- Public key: RSA (2048 bits)
- Subject: O = Company, CN = Company CA
- Basic Constraints: Subject Type = CA, Path Length Constraint = None
- Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing
- Company Department CA
- Signature algorithm: sha256RSA
- Public key: RSA (2048 bits)
- Issuer: Company CA
- Subject: O = Company, CN = Company CA
- Basic Constraints: Subject Type = CA, Path Length Constraint = None
- Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing
- sb.department.company.com
- Signature algorithm: sha256RSA
- Public key: RSA (2048 bits)
- Issuer: Company Department CA
- Subject: O = Company, CN = sb.department.company.com
- Basic Constraints: Subject Type = End Entity, Path Length Constraint = None
- Key Usage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment
- Enhanced Key Usage: Server Authentication
- Subject Alternative Name: DNS Name = sb.department.company.com
These 3 certificates are installed in the certificate store of the local machine (not of the current user):
- The root certificate (Company CA) is installed in Trusted Root Certification Authorities.
- The intermediate certificate (Company Department CA) is installed in Intermediate Certification Authorities.
- The server certificate (sb.department.company.com) is installed in Trusted People.
When we use a web browser to connect to https://sb.department.company.com:9355/namespace, we can see that the certificates are correct and trusted.
When we use the .NET library to connect to the Service Bus instance, we can do everything (get list of queues/topics, create queues/topics, send messages to a queue, ...).
When we connect using AMQP, we can get the list of queues/topics, but we cannot send messages to a queue. This can easily be demonstrated via Service Bus Explorer: if we set transport type to AMQP, we get this erratic behavior. When trying to send messages, we get the following error message: Exception: The remote certificate is invalid according to the validation procedure.. Method b__be.
How can we solve this?