RabbitMQ / .NET integration - "The remote certificate is invalid according to the validation procedure", but the cert is valid

Question

I have a RabbitMQ integration built in a .NET Standard library, which is being used by a few .NET Framework 4.7.2 apps. It's configured to connect to the RabbitMQ broker securely over port 5671 with a self-signed cert that has been installed in the Trusted Root Certificate Authorities of my local machine and our app development/testing server.

Both the development server and the RabbitMQ broker are running on AWS EC2 instances within our "local" network.

When I run these apps in debug on my local machine (connected to the "local" network through a VPN), the secure connection to the RabbitMQ broker is initialized correctly, and everything works as expected.

When I try to run the apps on the development server, however, the connection fails with the following exception:

AuthenticationException: The remote certificate is invalid according to the validation procedure.
   System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) +8343681
   System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) +76
   System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) +83
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   RabbitMQ.Client.Impl.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts) +82
   RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options) +512
   RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout) +830
   RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint) +122
   RabbitMQ.Client.EndpointResolverExtensions.SelectOne(IEndpointResolver resolver, Func`2 selector) +191

What's even more weird is that, when I navigate to the secure RabbitMQ Management UI (port 15671) through a browser on the development server, the browser correctly recognizes the certificate as valid.

Thinking this may be a firewall/port issue, I made sure that the development server firewall was set to allow outbound TCP traffic to port 5671, but this also hasn't fixed the issue.

What am I missing? Is there some extra IIS configuration needed for this that I don't know about?

Thanks!

Answer 1

The answer turned out to be rather simple. I had mistakenly installed the cert in the development server's admin user Trusted Root Authorities, rather than the machine's Trusted Root Authorities. Since the application was set up to run with a different user, that user didn't have access to the installed cert. Once I had installed it in the machine's Trusted Root Authorities, the connection worked as expected.

Props to Luke Bakken from the RabbitMQ team for the answer: https://groups.google.com/g/rabbitmq-users/c/tJHnDEnCZxM