Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
TLS Inspection causes error when used with internal web server: ''Error message 'x509: certificate signed by an unknown authority' displayed when using TLS Inspection with internal web server''
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 75%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Love Arinze
166
Reputation points
Question: When attempting to connect to a private, internal web server with a private certificate (signed by our internal CA) through a rule with TLS Inspection enabled, the browser displays the error message 'x509: certificate signed by an unknown authority.' The issue is specific to internal websites within my client's organization, as external websites work fine under TLS Inspection. The client's certificate appears valid and has a proper path back to our Root CA. Can you provide guidance on resolving this error?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee2023-07-25T01:09:03.58+00:00 Thank you for reaching out.
Based on the troubleshooting doc here
- Ensure the Root CA certificate is installed on client operating system.
- Ensure the browser or HTTPS client contains a valid root certificate. Firefox and some other browsers may have special certification policies.
- You can also try using a different browser as it might be a browser related issue.
You can refer to this POC document to determine if there was any missed step.
-
Love Arinze 166 Reputation points
2023-07-26T13:41:47.8833333+00:00 Thank you for your feedback.
I have tried those steps, and I didn't miss any.I repeated the test with a newly deployed Windows 2019 Server VM as the client machine (xc) and I have got the same result as the original client (xy).
To summarize the findings:
When accessing the internal website (a test IIS instance with HTTPS bound to port 443 and a PKI issued certificate, hosted on xy), everything appears normal, and the default IIS webpage over HTTPS (port 443) is displayed when TLS Inspection is not enabled.
However, as soon as TLS Inspection is enabled for the rule (without any other changes), the "client" browser shows an error message "x509: certificate signed by unknown authority" instead of displaying the default webpage.
Surprisingly again, with the exact same setup, TLS Inspection enabled, using the same Firewall, and from the same client, access to an external website like [www.microsoft.com] works as expected, showing the website contents.
In both cases, the certificate issued by the Intermediate Firewall CA is displayed as having a valid path.
-
ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
2023-07-27T16:21:40.6066667+00:00 Thank you for providing the details above.
To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID
Please let me know once you have done the same.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 71%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Jacob A 15 Reputation points2023-11-14T05:09:34.08+00:00 The problem appears to be the Azure Firewall (TLS Inspection App Proxy) doesn't trust the Internal CA. It is not immediately obvious how to add your organization's PKI Root and Intermediates to the Firewall Policy to fix this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 73%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Sergey 0 Reputation points2024-08-07T19:32:55.2333333+00:00 I'm having the same problem; Azure Firewall does not trust certificates issued by a custom CA.
With the certification chain:
- Root CA -> AFW intermediate CA
- Root CA -> Server intermediate CA -> blabla.something.local (IIS)
I'm getting "x509: certificate signed by an unknown authority".
Even if I change the chain to be like this:
- Root CA -> AFW intermediate CA -> Server intermediate CA -> blabla.something.local (IIS)
It's still not working. There is no option to upload custom CA certificates into Azure Firewall. How is it supposed to work in enterprise environments?
-
Jacob A 15 Reputation points
2024-08-07T20:11:23.6066667+00:00 Sergey,
Near as I've been able to tell, it's not currently supported. I think I remember a blurb somewhere that indicated application rules to onprem weren't supported either in general. You can at least make application rules to onprem work but you have to be VERY careful about routing. The route to the VWAN firewall instance isn't published outside that region so essentially cross region->onprem application rules isn't possible today. We have a lot of cross region routing so I had to give up applying that access using application rules.
Sign in to comment
Sign in to answer