Having spent the past 2 days trying and failing to get MassTransit connected to a TLS-enabled instance of RabbitMQ, I thought I’d share what I did to finally connect successfully today.
I had already generated and installed server and client certificates using OpenSSL. I also changed the RabbitMQ configuration to only allow TLS connections. I successfully tested and connected to RabbitMQ using OpenSSL s_client. So, I knew RabbitMQ was working as expected. My issue was, I couldn’t get my .Net application to connect. I searched everywhere. The answers were not consistent. And, I could find nothing in MassTransit documentation other than the basic, unsecured connection options, the basic connection to port 5672.
I won’t be going through the process of setting up RabbitMQ to use TLS since there’s plenty of documentation available on the internet. Having said that, there is something that is missing. You must enable the RabbitMQ plugin rabbitmq_auth_mechanism_ssl. Perform a stop, remove, install, and start of RabbitMQ.
Now, I will show the code I used to get MassTransit to connect and hopefully save you time.
Let’s get started!
In whatever class you’re connecting to MassTransit, it might be Program.cs (.Net 6) or Startup.cs (.Net 5 or before), setup SecurityProtocol:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
Inside the AddMassTransit method, during host configuration, be sure to add UseSSL (be sure to change the ServerName to match the CN on your client certificate):
builder.Services.AddMassTransit(x =>
{
x.AddBus(provider => Bus.Factory.CreateUsingRabbitMq(cfg =>
{
cfg.Host(new Uri(RabbitMqConfig.RabbitMqRootUri), h =>
{
h.Username(RabbitMqConfig.UserName);
h.Password(RabbitMqConfig.Password);
h.UseSsl(s =>
{
s.Protocol = SslProtocols.Tls12;
s.ServerName = “$sysdev-rabbitmq”;
s.AllowPolicyErrors(SslPolicyErrors.RemoteCertificateChainErrors);
s.Certificate = GetCertificate();
});
});
}));
});
Add a static method GetCertificate that will retrieve the installed client certificate, changing the thumbprint to match the thumbprint on your client certificate:
static X509Certificate2 GetCertificate()
{
X509Certificate2 cer = new X509Certificate2();
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection cers = store.Certificates.Find(X509FindType.FindByThumbprint, “95cb9e1a9064794c1614f394e2cd8d048f1b8fe6”, false);
if (cers.Count > 0)
{
cer = cers[0];
};
store.Close();
return cer;
}
I hope this helps save you time.
