Microsoft recently announced the beta of Service Bus 1.0 for Windows Server. This is the on-premise version of the Azure Service Bus that so many have been asking for. There is a good walkthrough of the new beta in the MSDN documentation here including how to install it.
So why this blog post? Well if you install the beta on a Windows Server 2008 R2 box and you actually develop on another machine then there’s a couple of things not mentioned in the documentation that you need to do (having previously spent long hour glaring at certificate errors allowed me to resolve things pretty quickly)
First a little background into why there is an issue. Certificate validation has a number of steps to it for a certificate to be considered valid:
- The issuer of the cert must be trusted. In fact the issuer of the issuer must also be trusted. In fact the issuer of the issuer of the issuer must be trusted. In fact … well you get the picture. In other words, when a certificate is validated all certificates in the chain of issuers must be trusted back to a trusted root CA (normally bodies like Verisign or your corporate certificate server). You will find these in your certificate store in the “Trusted Root Certificate Authorities” section. This mechanism is known as chain trust.
- The certificate must be in date (between the valid from and valid to dates)
- The usage of the certificate must be correct for the supported purposes of the cert (server authentication, client authentication, code signing, etc)
- For a server authentication cert (often known as an SSL cert) the subject of the cert must be the same as the server DNS name
- The certificate must not be revoked (if a cert is compromised the issuer can revoke the cert and publishes this in a revocation list) according to the issuers revocation list
For 1. there is an alternative called Peer Trust where the presented certificate must be in the clients Trusted People section of their certificate store
There may be other forms of validation but these are the ones that typically fail
So the issue is that the installer of Service Bus (SB), if you just run through the default install, generates a Certificate Authority cert and puts it into the target machine’s Trusted CA store – it obviously doesn’t put it in the client’s Trusted CA store because it knows nothing about that. It also generates a server authentication cert with the machine name you are installing on. This causes two issues: no cert issued by the CA will be trusted and so an SSL failure will happen the first time you try to talk to SB, the generated SSL cert will have problems generally validating due to, for example, no revocation list
The first of these issues can be fixed by exporting the generated CA cert and importing it into the Trusted CA Store ion the dev machine
The second can be fixed by exporting the SSL cert and importing it into the trusted people store on the dev machine
With these in place the Getting Started / Brokered Messaging / QueuesOnPrem sample should work fine