10

We use Azure Service Bus and Azure Web App which fills queue. They are in the same resource group. We use WindowsAzure.ServiceBus v2.6.5.

We get this error very rarely:

The X.509 certificate CN=servicebus.windows.net is not in the trusted people store. The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

Question: Is this internal error on Azure ? If it's not, what can we do to not get this error ?

Erkan Demirel
  • 4,302
  • 1
  • 25
  • 43

2 Answers2

6

I managed to find our more information about this issue. First of all, what needs to be established is that this is a pure client issue, this is why there are no tracking IDs. The client refuses to complete the TLS handshake with Service Bus.

This is a known issue this is a known issue with the way how Microsoft manages certificates and how they are used on non-HTTP(S) transports. The errors occur when the endpoint that hosts the intermediate certificates for Microsoft is unavailable or slow or cannot be reached by the client for any reason. We are investigating a workaround for injecting the required extra certificate into the TLS handshake for the SBMP and AMQP transports similar to how this is done by HTTP.SYS, so that this extra request is not needed.

The immediate workaround available is to enable ServiceBusEnvironment.SystemConnectivity.Mode = ConnectivityMode.Https This will force all traffic to use a WebSockets tunnel that is protected by a prior TLS/HTTPS handshake, and that handshake carries the required intermediate certificate. The WebSockets handshake does impose a little extra latency as the connection is established, but will otherwise be comparable with the regular communication mode. The messaging protocol used through that tunnel will still be AMQP or NetMessaging, so you should not be worried to get HTTP characteristics when choosing this option.

This is the response from Microsoft. I'll apply this and if I don't face any problem at some period time, I will accept this as an answer. Who faces this problem, they can try this also.

Edit:

ConnectivityMode.Https is just in avaliable service bus 3. I have to use servicebus 2 because of issue on Signalr. Therefore I couldn't apply this solution.

Erkan Demirel
  • 4,302
  • 1
  • 25
  • 43
  • Would a retry policy not solve this if it is a intermittent connectivity issue? https://learn.microsoft.com/en-us/azure/best-practices-retry-service-specific#service-bus-retry-guidelines – gorillapower Dec 07 '16 at 05:56
1

I believe there must be a missing certificate.

From this stack overflow post https://stackoverflow.com/a/24224550/4735373 here is a link that may help: https://corp.sts.microsoft.com/Onboard/ADFSOnboard.htm#Corp-STS-Certificates

Community
  • 1
  • 1
Tobiah Zarlez
  • 1,680
  • 1
  • 12
  • 13
  • If there is missing certificate by our side. It should give this eror all the time. Isn't it right ? – Erkan Demirel Feb 25 '16 at 08:35
  • Are you spinning up or spinning down instances? – Tobiah Zarlez Feb 25 '16 at 08:43
  • There is no scale up on this web app it's just have 1 instance. We haven't faced this error before it has started yesterday. I have opened an issue on Azure. I'm waiting response. – Erkan Demirel Feb 25 '16 at 08:45
  • We have been seeing this issue too. We are getting this running in Azure from an WebJob on App Service in the West US region. Did you get any response on your support ticket? It is not possible to install certificates on Azure App Service. – Phil Bolduc Mar 04 '16 at 21:20