Share via

MSMQ messages using HTTP just won't get delivered #12

  • Article

Here's a solution discovered by my colleague Andreas Naranjo which is worth adding to my long-running "MSMQ messages using HTTP just won't get delivered" series.

When trying to send an MSMQ HTTPS message from a Windows Server 2003 machine to another, the messages are stuck in the sender's Outgoing queue and the queue status says "Waiting to Connect." HTTP messages go through just fine but HTTPS messages are stuck.

The problem can be with the Root Certificate Authority (CA) not being installed and trusted on the sending machine. For example, the server certificate on the receiver is generated by an internal certificate server, not a known third party certification authority, and so the sending machine does not trust the receiving server's certificate.

To correct this problem, install the Root CA on the receiving server by:

Add CA to the Trusted Root Certification Authorities

  1. Go to https://CertServer/certsrv.
  2. Select the Download a CA certificate, Certificate chain, or CRL link.
  3. In the Download a CA certificate, Certificate chain, or CRL dialog box, select Install this CA certificate chain.
    The CA certificate chain has now been successfully installed for the logged-on user.
  4. Start MMC, and then add the Certificates snap-in for My user account and Computer Account (Local Computer).
  5. Expand Console RootCertificates - (Local Computer)Trusted Root Certification AuthoritiesCertificates.
  6. Expand Console RootCertificates - Current UserTrusted Root Certification AuthoritiesCertificates.
  7. Drag CertServer CA from Current User to (Local Computer).
    The CertServer CA Authority is now trusted for all logged-on users

You then need to export this root CA from the receiving machine by:

Export the trusted CA to Sender

  1. Start MMC.
  2. On the File menu, select Add/Remove Snap-in.
  3. In Add/Remove Snap-in dialog box, select Add.
  4. In the Available Standalone Snap-ins dialog box, highlight Certificates.
  5. Click Add.
  6. Select Computer account.
  7. In the Select Computer dialog box, select Local computer: (The computer this console is running on).
  8. Click Finish.
  9. Close the Add Standalone Snap-in dialog box.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. Expand Console RootCertficates (Local Computer)Trusted Root Certification Authorities)Certificates.
  12. Select the CA authority that you would like to export.
  13. Right-click, and then select All TaskExport.
  14. In the Certificate Export wizard, select DER encoded binary X.509 (.CER) format.
  15. Specify the file name and location. 

Finally, you need to import the Root CA from the receiver to the Sender:

Import certificates on Sender 

  1. Copy the x.509 certificate to Sender.
  2. Start MMC.
  3. On the File menu, select Add/Remove Snap-in.
  4. In the Add/Remove Snap-in dialog box, select Add.
  5. In the Available Standalone Snap-ins dialog box, highlight Certificates.
  6. Click Add.
  7. Select Computer account.
  8. In the Select Computer dialog box, select Local computer: (The computer this console is running on).
  9. Click Finish.
  10. Close the Add Standalone Snap-in dialog box.
  11. In the Add/Remove Snap-in dialog box, click OK.
  12. Expand Console RootCertificates - (Local Computer)Trusted Root Certification AuthoritiesCertificates.
  13. Right-click Certificates, and then select All Tasks, Import.
  14. In the Import Certificate wizard:
    1. Specify the certificate file.
    2. Select Place all certificates in the following store: Trusted Root Certification Authorities.

This procedure, is also described in the Microsoft MSMQ HTTP Messaging white paper:

Microsoft Message Queuing (MSMQ) HTTP Deployment Scenarios for Windows Server 2003 and Windows XP Professional