Azure 托管服务总线:“X.509 证书 CN=servicebus.windows.net 不在受信任的人员存储中." [英] Azure Hosted Service Bus : "The X.509 certificate CN=servicebus.windows.net is not in the trusted people store."

问题描述

在我的 vs2013 开发 VM 上使用 Azure SDK 2.3，我可以轻松使用托管在 Azure 中的服务总线队列.但是，在 Windows Server 2008 R2 Standard SP1 上，Windows 似乎无法信任所涉及的证书并引发异常.

Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues hosted in Azure painlessly. However, on Windows Server 2008 R2 Standard SP1, it looks like Windows can not trust the involved certificates and an exception is thrown.

抛出的行:

// Send the message
await queueclient.SendAsync(message);

异常信息:

X.509 证书 CN=servicebus.windows.net 不在可信人们存储.X.509 证书 CN=servicebus.windows.net 链建设失败.使用的证书有一个信任链无法验证.更换证书或更改证书验证模式.无法将证书链构建到受信任的根权限.

The X.509 certificate CN=servicebus.windows.net is not in the trusted people store. The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

CAPI2 日志(附在下面)指出了一个信任问题，所以我比较了两台机器上安装的证书.服务器上不存在以下证书:

The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :

中级证书颁发机构 > Microsoft Internet 颁发机构(由巴尔的摩 Cyber​​Trust Root 发布)

Intermediate Certification Authorities > Microsoft Internet Authority (Issued by Baltimore CyberTrust Root)

中级证书颁发机构 > MSIT Machine Auth CA 2(由 Microsoft Internet Authority 发布)

Intermediate Certification Authorities > MSIT Machine Auth CA 2 (Issued by Microsoft Internet Authority)

问题:

1. 证书从何而来?
2. 为什么服务器上没有它们?
3. 如何解决这个问题?

可能的路径(更新):

1. 在服务器上为 Visual Studio 2013 安装 Azure SDK 2.3
2. 在服务器上安装所有 Windows 更新

我试过了:

<appSettings>
  <add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/>
</appSettings>

<小时>

CAPI2 验证链策略事件:

---

CAPI2 Verify Chain Policy event :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
    <EventRecordID>5642</EventRecordID>
    <Correlation />
    <Execution ProcessID="5280" ThreadID="8472" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>ne-r026-310cn</Computer>
    <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />
      <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
      <CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}" />
      <Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />
      <Status chainIndex="0" elementIndex="-1" />
      <EventAuxInfo ProcessName="w3wp.exe" />
      <CorrelationAuxInfo TaskId="{F8DE43DD-9E68-461E-8A2B-17215BA87E0C}" SeqNumber="1" />
      <Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>

CAPI2 构建链事件:

CAPI2 Build Chain event :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>11</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>11</Task>
    <Opcode>2</Opcode>
    <Keywords>0x4000000000000003</Keywords>
    <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
    <EventRecordID>5641</EventRecordID>
    <Correlation />
    <Execution ProcessID="5280" ThreadID="8472" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>ne-r026-310cn</Computer>
    <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
  </System>
  <UserData>
    <CertGetCertificateChain>
      <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
      <ValidationTime>2014-06-11T19:57:38.998Z</ValidationTime>
      <AdditionalStore />
      <ExtendedKeyUsage />
      <Flags value="0" />
      <ChainEngineInfo context="machine" />
      <AdditionalInfo>
        <NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
      </AdditionalInfo>
      <CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}">
        <TrustStatus>
          <ErrorStatus value="10000" CERT_TRUST_IS_PARTIAL_CHAIN="true" />
          <InfoStatus value="0" />
        </TrustStatus>
        <ChainElement>
          <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
          <TrustStatus>
            <ErrorStatus value="0" />
            <InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage>
            <Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
            <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
          </ApplicationUsage>
          <IssuanceUsage />
        </ChainElement>
      </CertificateChain>
      <EventAuxInfo ProcessName="w3wp.exe" />
      <CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="11" />
      <Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
    </CertGetCertificateChain>
  </UserData>
</Event>

CAPI2 X509 对象事件:

CAPI2 X509 Objects event :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>90</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>90</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000200</Keywords>
    <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
    <EventRecordID>5640</EventRecordID>
    <Correlation />
    <Execution ProcessID="5280" ThreadID="8472" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>ne-r026-310cn</Computer>
    <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
  </System>
  <UserData>
    <X509Objects>
      <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net">
        <Subject>
          <CN>servicebus.windows.net</CN>
        </Subject>
        <SubjectKeyID computed="false" hash="BD41618C22D8DBEE9D172C12A2C549D61711ED75" />
        <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
        <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
        <Issuer>
          <CN>MSIT Machine Auth CA 2</CN>
          <DC>redmond</DC>
          <DC>corp</DC>
          <DC>microsoft</DC>
          <DC>com</DC>
        </Issuer>
        <SerialNumber>70DB015B000100008C58</SerialNumber>
        <NotBefore>2013-07-27T03:31:06Z</NotBefore>
        <NotAfter>2015-07-27T03:31:06Z</NotAfter>
        <Extensions>
          <KeyUsage value="B0" CERT_DIGITAL_SIGNATURE_KEY_USAGE="true" CERT_KEY_ENCIPHERMENT_KEY_USAGE="true" CERT_DATA_ENCIPHERMENT_KEY_USAGE="true" />
          <ExtendedKeyUsage>
            <Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
            <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
          </ExtendedKeyUsage>
          <SubjectAltName>
            <DNSName>*.servicebus.windows.net</DNSName>
            <DNSName>servicebus.windows.net</DNSName>
          </SubjectAltName>
          <AuthorityKeyIdentifier>
            <KeyID hash="EBDB115EF8099ED8D6629CFD629DE3844A28E127" />
          </AuthorityKeyIdentifier>
        </Extensions>
      </Certificate>
      <EventAuxInfo ProcessName="w3wp.exe" />
      <CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="10" />
    </X509Objects>
  </UserData>
</Event>

推荐答案

缺少证书是导致异常的原因.

The missing certificates were responsible for the exception.

我无法在网上找到证书，我仍然不确定他们是如何设法自行安装的，但我想我有一个想法..

I haven't been able to find the certificates online and I'm still unsure of how EXACTLY they managed to install themselves BUT I think I have an idea..

我们是如何获得证书的?我们将服务总线消息传递代码隔离到控制台应用程序中，并在生产服务器上使用管理员权限执行它.证书会在此过程中自动安装.

How we managed to obtain the certificates? We isolated the Service Bus messaging code into a console application and executed it with admin rights on the production server. The certificates installed themselves automatically in the process.

也许我们的应用程序池在具有有限权限的 ApplicationPoolIdentity 下运行不允许 Windows 下载或安装证书.

Perhaps our application pool, running under ApplicationPoolIdentity with limited permissions was not allowing Windows to download or install the certificates.

此链接似乎提供相关信息:http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/

更新:您可以下载证书链 此处.

Update : You can download the certificate chain here.

这篇关于Azure 托管服务总线:“X.509 证书 CN=servicebus.windows.net 不在受信任的人员存储中."的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！