Azure App Service SSL Certificate Not Trusted - azure

https://www.ssllabs.com/ssltest/analyze.html?d=recruit.equitysim.ai
Situation:
A client needs to access our site over a secure connection but is unable to do so because of a problem with our certificate.
We purchased a wildcard certificate and set it up as per the documentation. If you notice in the provided link, our certificate is trusted.
We are using the Azure App Service to host our website on a paid level that includes custom domain and SSL support.
Problem:
According to the test, it appears that Microsoft's SSL certificate is not trusted - alternative names mismatch (See Certificate #2). We believe this to be the reason why our client is unable to access our site.
Any thoughts on the matter? We know it isn't an SNI problem because we have another site that is hosted on a VM that also requires SNI support and they can visit that site just fine.

Related

Issue within certification chain using azure application gateway

I'm using an Azure Application Gateway v2 to route traffic to a backendpool containing VMs running some docker container hosting an aspnet core webapi. The application is listeing in port 443.
The gateway listener is configured to accept HTTPS connections. A pfx certificate has also been added.
The HTTP setting of the gateway is configured as follow:
I've provided, hopefully, the correct root certificate for the setting. I've exported the certifacte as described here:
https://learn.microsoft.com/de-de/azure/application-gateway/certificates-for-backend-authentication
All VMs from the backend pool use the same certificate as the gateway listener.
When calling the api using a C# application or open a specific url within a browser, the connections seems to be trusted.
But I get an error when calling the api using postman with endabled SSL cerificate verification.
Error: unable to verify the first certificate
A check on sslhopper.com also indicates an issue within the chain.
I got further information doing a chekc on digicert.com.
TLS Certificate is not trusted
The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
I'm really stuck in resolving the issue. All helpful hints are very welcome.
The production environment, running on a Windows Server, wihtout the Gateway but the same certificates is valid. So the issue must be somewhere in the gateway configuration.
The issue is resolved. The crucial clue was delivered from a blog post.
http://blog.repsaj.nl/index.php/2019/08/azure-application-gateway-certificate-gotchas/
Gateway V2: the importance of the certificate chain
I did a new export of the pfx certificate including the whole chain and uploaded it to the gateway.
If the cert is not trusted, then you need to check the Application Gateway Listener. Make sure that you are not using Basic listener.
If you are using multi-site listener, make sure that the host name which you have mentioned matches with the certificate CN

azurewebsites.net built-in certificate

I have created web apps in Azure which use the built-in certificate for *.azurewebsites.net. SSL works fine here.
I have recently created another web app and the certificate it is using is MYSITE.azurewebsites.net. This certificate has a completely different chain than the other one--the root of which is not trusted on my machine.
Can anyone explain why one site would use the wildcard and the other one wouldn't? Also, why would the certificate chain be different?
(The wildcard cert has a DigiCert root, whereas the site-specific domain (MYSITE.azurewebsites.net) has a Cisco umbrella Root CA)
I wrote Azure Support an got in contact with their Azure Web App Product Group. They gave me the following message
This Cisco Umbrella certificate is not coming from Azure. You doesn’t have any SSL binding nor uploaded any certificate into your subscription.
Most likely your client machine is in a network protected by Cisco Umbrella product. Kindly contact to Cisco Umbrella product support team.
Another option to resolve this issue is to bind a custom domain and add a SSL certificate (Free or App Service or any other certificate) so that you do not use .azurewebsites.net URL.
I am providing you relevant articles which will give you all the details about adding custom domain and binding SSL to your App Service.
You can go through them once and then feel free to reach out to me if you have any questions or concerns
https://learn.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain -> Buy a custom domain name for your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain -> Add custom domain to your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-> Bind SSL certificate

How to deploy the 'nodejs-sentiment-bot-sample' on azure?

The microsoftgraph/nodejs-sentiment-bot-sample can run on your localhost with a self-signed certificate. What changes are necessary in order to deploy it on Azure regarding this certificate?
The Bot Framework works with bots deployed on any cloud hosting service, as long as you have an internet-accessible endpoint and a valid SSL certificate. If you are deploying to Azure App Service, your projectname.azurewebsites.net is covered by the existing *.azurewebsites.net SSL cert, so you should not need any additional configuration.
On the other hand, if you want to host on another cloud provider, the only requirements is that you have a current and valid SSL certificate registered to your domain name.
What is meant by "current and valid"? -- Most of the checks for "current and valid" are standard checks for server SSL certificates: the Certificate Name must match the hostname, it must not be expired, it must not be listed in a CRL, it must have the correct set of EKUs, etc.
Most importantly, your SSL certificate must chain to a root certificate authority trusted by Microsoft. The latest list of these CAs is available here: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx
For more information on deploying your bot, see: https://learn.microsoft.com/en-us/bot-framework/deploy-bot-overview

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Thinktecture in windows azure web sites SSL issue

I have deployed the thinktecture identity server in the windows azure website role.The issue I am facing is with the SSL certificate.If I don't have a custom domain name I am forced to use *.azurewebsites which already have a certificate from microsoft and the app pool account is not able to read the private key of this certificate so it's throwing an error.
Did someone have the same issue or any ideas about what I can do to resolve it.
Thanks
The SSL and signing certificate don't need to be the same. Use the MS SSL cert (for now) and generate a separate cert for signatures. That cert can then be uploaded so that you can programmatically access it.

Resources