Error - The X.509 certificate CN=servicebus.windows.net, OU=WindowsAzure, O=Microsoft, L=Redmond, S=WA, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified.
Recently I was dealing with a case where we were using Service Bus (Azure SDK 1.6) and experiencing the following error:
System.ServiceModel.ServiceHostingEnvironment+HostingManager/35320229
Exception: System.ServiceModel.ServiceActivationException: The service '/xxx-xxx-xxx.svc' cannot be activated due to an exception during compilation. The exception message is: The X.509 certificate CN=servicebus.windows.net, OU=WindowsAzure, O=Microsoft, L=Redmond, S=WA, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.
At Microsoft.ServiceBus.Channels.Security.RetriableCertificateValidator.Validate(X509Certificate2 certificate)
at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.ValidateRemoteCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback)
We enabled the CAPI logging to understand more about the error and we saw the following error in event log:
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 10/07/2013 17:17:22
Event ID: 30
Task Category: Verify Chain Policy
Level: Error
Keywords: Path Validation
User: xxxxxxxxxxxxxxxxxxx
Computer: xxxxxxxxxxxxxxxxxx
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2013-07-10T16:17:22.627875000Z" />
<EventRecordID>155</EventRecordID>
<Correlation />
<Execution ProcessID="2124" ThreadID="5876" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>xxxxxxxxxxxxxxxxxxxxxxx</Computer>
<Security UserID="xxxxxxxxxxxxxxxxxxxxxxxx" />
</System>
<UserData>
<CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />
<Certificate fileRef="xxxxxxxxxxxxxxxxx.cer" subjectName="servicebus.windows.net" />
<CertificateChain chainRef="{E135171F-3ED0-4AED-87BC-D0E07F2061DA}" />
<Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />
<Status chainIndex="0" elementIndex="2" />
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{3056642A-A82C-4605-A12C-C761A85A74E4}" SeqNumber="1" />
<Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>
So we took a network trace to understand why it’s unable to check the Certificate Revocation. After analyzing the traces we found the following:
- A request was sent to https://cdp1.public-trust.com/CRL/Omniroot2025.crl for revocation checking but the response was error 403 from a proxy server.
- Proxy returning error ‘X-Squid-Error: ERR_ACCESS_DENIED 0’. So the proxy is not allowing traffic to above URL. It was a Squid proxy.
The issue was resolved by allowing the URL from the proxy server. With Microsoft.ServiceBus.dll 1.7 version you can turn off certificate revocation checking using following config:
<configuration>
<appSettings>
<add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/>
</appSettings>
</configuration>
Microsoft.ServiceBus.dll 1.8 and newer do not check for certificate revocation.