5

I'm using an Azure Application Gateway v2 to route traffic to a backendpool containing VMs running some docker container hosting an aspnet core webapi. The application is listeing in port 443. The gateway listener is configured to accept HTTPS connections. A pfx certificate has also been added. The HTTP setting of the gateway is configured as follow: enter image description here

I've provided, hopefully, the correct root certificate for the setting. I've exported the certifacte as described here: https://learn.microsoft.com/de-de/azure/application-gateway/certificates-for-backend-authentication

enter image description here

All VMs from the backend pool use the same certificate as the gateway listener. enter image description here

When calling the api using a C# application or open a specific url within a browser, the connections seems to be trusted.

enter image description here

But I get an error when calling the api using postman with endabled SSL cerificate verification. Error: unable to verify the first certificate

A check on sslhopper.com also indicates an issue within the chain. enter image description here

I got further information doing a chekc on digicert.com.

TLS Certificate is not trusted The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

I'm really stuck in resolving the issue. All helpful hints are very welcome. The production environment, running on a Windows Server, wihtout the Gateway but the same certificates is valid. So the issue must be somewhere in the gateway configuration.

Improve this question

2 Answers 2

Reset to default
5

The issue is resolved. The crucial clue was delivered from a blog post. http://blog.repsaj.nl/index.php/2019/08/azure-application-gateway-certificate-gotchas/ Gateway V2: the importance of the certificate chain

I did a new export of the pfx certificate including the whole chain and uploaded it to the gateway.

Improve this answer
1
  • How did you export to pfx? I have generated from godaddy, got my private key , private key pem and crt, i used this command to export to pfx, openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx still getting the same issue
    – hafiz muhammed
    Dec 4, 2023 at 13:09
0

If the cert is not trusted, then you need to check the Application Gateway Listener. Make sure that you are not using Basic listener.

If you are using multi-site listener, make sure that the host name which you have mentioned matches with the certificate CN

Improve this answer
2
  • 1
    My information may have been misleading. It's always the same hostname and API running on the machines from the backend pool Nevertheless I updated to a multisite listener and added the hostname there. It makes no difference whether the checkbox for a "Use Well Known CA Certificate" is set or not (with an added root certificate). imgur.com/a/pPn5koT On the right side is the check of the Azure instance. "The higher-level certificate is unfortunately not known. "
    – addy
    Oct 8, 2019 at 7:46
  • Can you share the screen shot of your HTTPS listener config?
    – msrini-MSIT
    Oct 8, 2019 at 7:51

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.