Error – The X.509 certificate CN=servicebus.windows.net, OU=WindowsAzure, O=Microsoft, L=Redmond, S=WA, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified.


Recently I was dealing with a case where we were using Service Bus (Azure SDK 1.6) and experiencing the following error:

System.ServiceModel.ServiceHostingEnvironment+HostingManager/35320229
 Exception: System.ServiceModel.ServiceActivationException: The service ‘/xxx-xxx-xxx.svc’ cannot be activated due to an exception during compilation.  The exception message is: The X.509 certificate CN=servicebus.windows.net, OU=WindowsAzure, O=Microsoft, L=Redmond, S=WA, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

 At Microsoft.ServiceBus.Channels.Security.RetriableCertificateValidator.Validate(X509Certificate2 certificate)
   at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
   at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
   at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.ValidateRemoteCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
   at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback)

 

We enabled the CAPI logging to understand more about the error and we saw the following error in event log:

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          10/07/2013 17:17:22
Event ID:      30
Task Category: Verify Chain Policy
Level:         Error
Keywords:      Path Validation
User:          xxxxxxxxxxxxxxxxxxx
Computer:      xxxxxxxxxxxxxxxxxx
Description:
For more details for this event, please refer to the “Details” section
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”Microsoft-Windows-CAPI2″ Guid=”{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}” />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime=”2013-07-10T16:17:22.627875000Z” />
    <EventRecordID>155</EventRecordID>
    <Correlation />
    <Execution ProcessID=”2124″ ThreadID=”5876″ />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>xxxxxxxxxxxxxxxxxxxxxxx</Computer>
    <Security UserID=”xxxxxxxxxxxxxxxxxxxxxxxx” />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type=”CERT_CHAIN_POLICY_BASE” constant=”1″ />
     <Certificate fileRef=”xxxxxxxxxxxxxxxxx.cer” subjectName=”servicebus.windows.net” />
      <CertificateChain chainRef=”{E135171F-3ED0-4AED-87BC-D0E07F2061DA}” />
      <Flags value=”1000″ CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG=”true” />
      <Status chainIndex=”0″ elementIndex=”2″ />
      <EventAuxInfo ProcessName=”w3wp.exe” />
      <CorrelationAuxInfo TaskId=”{3056642A-A82C-4605-A12C-C761A85A74E4}” SeqNumber=”1″ />
      <Result value=”80092013″>The revocation function was unable to check revocation because the revocation server was offline.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>

So we took a network trace to understand why it’s unable to check the Certificate Revocation. After analyzing the traces we found the following:

  1. A request was sent to  http://cdp1.public-trust.com/CRL/Omniroot2025.crl  for revocation checking but the response was error 403 from a proxy server.
  2. Proxy returning error ‘X-Squid-Error:  ERR_ACCESS_DENIED 0’. So the proxy is not allowing traffic to above URL. It was a Squid proxy.

 

The issue was resolved by allowing the URL from the proxy server. With Microsoft.ServiceBus.dll 1.7 version you can turn off certificate revocation checking using following config:

<configuration>
<appSettings>
<add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/>
</appSettings>
</configuration>

Microsoft.ServiceBus.dll 1.8 and newer do not check for certificate revocation.

 

Comments (2)

  1. Desy says:

    Hi, do you now if there is not another way to fix the problem?

    thanks in advance.

  2. Desy says:

    Hi,

    I found another way to fix the problem. Going in Windows Update – search manual updates – there was this pending update: Update for Root Certificates for Windows XP [May 2013] (KB931125).

    I have upgraded, rebooted the computer and now the error no longer appears.

    Bye!

Skip to main content