Azure CDN returns OriginCertificateSelfSigned with Let's Encrypt cert

Question

We are configuring Azure CDN to access our server that is not on Azure. We configured the CDN and access via HTTP works correctly. However, we have enabled HTTPS and we are receiving the error x-azure-externalerror: OriginCertificateSelfSigned. The certificate being used in the origin is the same one that we uploaded to the key vault and that was active in the custom domain. However, when trying to access the site with https, we received the 502. Certificates are being generated by Let's Encrypt. We saw in the list https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT that Internet Security Research Group is an included certifier.

On the server we use NGINX and we have configured the certificate with the ssl_certificate and ssl_certificate_key properties.

Answer 1

I resolved the issue with these steps:

1. changed the host header to the domain instead of the IP address
2. created a DNS entry pointing to our server outside of Azure
3. generated a certificate that includes this DNS appointment. in the CDN's origin note, the note is for custom origin. Instead of the server IP, I added the DNS created in the previous step. finally, on the server, I configured the site's vhost to listen through this created DNS.

This solved our problem. What was happening is that it falls into the NGINX default because it makes a request to validate whether the domain in the origin is valid. Therefore, as the certificate does not exist by default, the error was returned.

Answer 2

@Mateus Roveda
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

---

Issue:

We are configuring Azure CDN to access our server that is not on Azure. We configured the CDN and access via HTTP works correctly. However, we have enabled HTTPS and we are receiving the error x-azure-externalerror: OriginCertificateSelfSigned. The certificate being used in the origin is the same one that we uploaded to the key vault and that was active in the custom domain. However, when trying to access the site with https, we received the 502. Certificates are being generated by Let's Encrypt. We saw in the list https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT that Internet Security Research Group is an included certifier. On the server we use NGINX and we have configured the certificate with the ssl_certificate and ssl_certificate_key properties.

Solution: I resolved the issue with these steps:

1. changed the host header to the domain instead of the IP address
2. -created a DNS entry pointing to our server outside of Azure
3. generated a certificate that includes this DNS appointment. in the CDN's origin note, the note is for custom origin. Instead of the server IP, I added the DNS created in the previous step. finally, on the server, I configured the site's vhost to listen through this created DNS.

This solved our problem. What was happening is that it falls into the NGINX default because it makes a request to validate whether the domain in the origin is valid. Therefore, as the certificate does not exist by default, the error was returned.

---

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information. I hope this helps! If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.