Azure Hosted Service Bus : “The X.509 certificate CN=servicebus.windows.net is not in the trusted people store.”

Question

Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues hosted in Azure painlessly. However, on Windows Server 2008 R2 Standard SP1

Answer 1

To eliminate certificate trust issues from Service Bus for Windows Server, use the following:

Create a list of the certificates you trust:

    var trustedCertificates = new HashSet<string>(new[]
    {
        "1245…",
        "4567…, 
        "8102…" 
    }, StringComparer.OrdinalIgnoreCase);

Trust those:

    ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) =>
    {
        if (errors == SslPolicyErrors.None)
        {
            return true;
        }

        var hashString = certificate.GetCertHashString();
        var isTrusted = trustedCertificates.Contains(hashString);

        if (!isTrusted)
        {
            telemetryClient.TrackTrace($"Untrusted: {hashString} Errors: {errors} Cert: {certificate.ToString()}", SeverityLevel.Warning);
        }

        return isTrusted;
    };

Calm Service Bus down too:

    private static void SetCertificateValidator()
    {
        var retriableCertificateValidatorType = Type.GetType("Microsoft.ServiceBus.Channels.Security.RetriableCertificateValidator, Microsoft.ServiceBus", true, false);
        var instanceProperty = retriableCertificateValidatorType.GetProperty("Instance", BindingFlags.Static | BindingFlags.NonPublic);
        var instance = instanceProperty.GetValue(null);

        var peerOrChainTrustNoCheck = retriableCertificateValidatorType.GetField("peerOrChainTrustNoCheck", BindingFlags.Instance | BindingFlags.NonPublic);
        peerOrChainTrustNoCheck?.SetValue(instance, new EmptyOpX509CertificateValidator());
    }

    private sealed class EmptyOpX509CertificateValidator : X509CertificateValidator
    {
        public override void Validate(X509Certificate2 certificate)
        {
        }
    }

Answer 2

The missing certificates were responsible for the exception.

I haven't been able to find the certificates online and I'm still unsure of how EXACTLY they managed to install themselves BUT I think I have an idea..

How we managed to obtain the certificates? We isolated the Service Bus messaging code into a console application and executed it with admin rights on the production server. The certificates installed themselves automatically in the process.

Perhaps our application pool, running under ApplicationPoolIdentity with limited permissions was not allowing Windows to download or install the certificates.

This link seems to offer related information : http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/

Update : You can download the certificate chain here.