RabbitMQ / .NET integration - "The remote certificate is invalid according to the validation procedure", but the cert is valid
788 views
Skip to first unread message
Garrett Olson
Sep 12, 2022, 12:33:33 PM9/12/22
to rabbitmq-users
I have a RabbitMQ integration built in a .NET Standard library, which is being used by a few .NET Framework 4.7.2 apps. It's configured to connect to the RabbitMQ broker securely over port 5671 with a self-signed cert that has been installed in the Trusted Root Certificate Authorities of my local machine and our app development/testing server.
Both the development server and the RabbitMQ broker are running on AWS EC2 instances within our "local" network.
When I run these apps in debug on my local machine (connected to the "local" network through a VPN), the secure connection to the RabbitMQ broker is initialized correctly, and everything works as expected.
When I try to run the apps on the development server, however, the connection fails with the following exception:
```
AuthenticationException: The remote certificate is invalid according to the validation procedure.
System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) +8343681
System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) +76
System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) +83
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
RabbitMQ.Client.Impl.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts) +82
RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options) +512
RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout) +830
RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint) +122
RabbitMQ.Client.EndpointResolverExtensions.SelectOne(IEndpointResolver resolver, Func`2 selector) +191
```
What's even more weird is that, when I navigate to the secure RabbitMQ Management UI (port 15671) through a browser on the development server, the browser correctly recognizes the certificate as valid.
Thinking this may be a firewall/port issue, I made sure that the development server firewall was set to allow outbound TCP traffic to port 5671, but this also hasn't fixed the issue.
What am I missing? Is there some extra IIS configuration needed for this that I don't know about?
Thanks!
Both the development server and the RabbitMQ broker are running on AWS EC2 instances within our "local" network.
When I run these apps in debug on my local machine (connected to the "local" network through a VPN), the secure connection to the RabbitMQ broker is initialized correctly, and everything works as expected.
When I try to run the apps on the development server, however, the connection fails with the following exception:
```
AuthenticationException: The remote certificate is invalid according to the validation procedure.
System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) +8343681
System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) +76
System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) +83
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
RabbitMQ.Client.Impl.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts) +82
RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options) +512
RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout) +830
RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint) +122
RabbitMQ.Client.EndpointResolverExtensions.SelectOne(IEndpointResolver resolver, Func`2 selector) +191
```
What's even more weird is that, when I navigate to the secure RabbitMQ Management UI (port 15671) through a browser on the development server, the browser correctly recognizes the certificate as valid.
Thinking this may be a firewall/port issue, I made sure that the development server firewall was set to allow outbound TCP traffic to port 5671, but this also hasn't fixed the issue.
What am I missing? Is there some extra IIS configuration needed for this that I don't know about?
Thanks!
Luke Bakken
Sep 13, 2022, 8:34:41 AM9/13/22
to rabbitmq-users
Hello,
Our TLS guide has some openssl commands you can run to test out your TLS connections and certs - https://www.rabbitmq.com/troubleshooting-ssl.html
You mention "IIS configuration" so I'm assuming that your application is running using IIS. My guess is that when you run your application locally, in debug mode, the user that the IIS process is running as has access to the CA certificate you've installed to Trusted Root. On your app development server, this may not be the case.
I would start by double-checking the user that IIS is running as and that the CA cert you're using is truly in the system-wide Trusted Root store on your app development server.
A definitive check would be to develop a powershell script to export the CA cert (https://docs.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps) and then run a scheduled task to run the script as the IIS user.
Another guess is that the hostname you're using to connect to RabbitMQ in your app dev environment isn't exactly the same hostname in the server certificate's CN= field. This would cause a validation error as well.
Let us know how it goes.
Thanks,
Luke
Garrett Olson
Sep 14, 2022, 9:52:19 AM9/14/22
to rabbitmq-users
Hi Luke,
Your first suggestion turned out to be bang on. I had installed the cert in the Trusted Root of the server admin user, which was not the same as the application's app pool user. Once I installed the cert in the machine's system-wide Trusted Root, the connection worked as expected.
Thank you!
Garrett
Luke Bakken
Sep 14, 2022, 10:30:55 AM9/14/22
to rabbitmq-users
Thanks for letting us know Garrett!
Reply all
Reply to author
Forward
0 new messages