Share via

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Taranjeet Malik 546 Reputation points
2024-07-03T05:16:42.1333333+00:00

Hi

We've build an APIM instance within a VNet (internal mode) and using a self-signed certificate (*.abc.com) to secure the APIM endpoints (like Gateway, Dev portal etc.). We've tested that these portals work when accessing them using a VM within the VNet - just that we get SSL certificate error (expected) that we can bypass in the browser.

We have a BizTalk server on-prem that hosts an API. This API is configured as a back-end in the Azure APIM. The on-prem BizTalk server uses a different self-signed certificate (*.xyz.com). When we try hitting the BizTalk API endpoint (URL) directly using the VM in VNet and bypass the certificate validation, we get a success response (Test case 1). However, when we try and hit the same URL (configured as back-end in the APIM) via the APIM (Test case 2), it fails with the following error:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

Here's a diagram to visually depict the two test cases:

User's image

Can someone point out what could be the issue and possible solution here?

Thanks

Taranjeet Singh

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,169 questions
Microsoft BizTalk Server
Microsoft BizTalk Server
A family of Microsoft server products that support large-scale implementation management of enterprise application integration processes.
365 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 27,836 Reputation points
    2024-07-23T11:12:22.5833333+00:00

    @Taranjeet Malik Thanks for reaching out. Based on the information you provided, it seems like the issue is related to the SSL certificate validation when accessing the BizTalk API endpoint through APIM.

    When you access the BizTalk API endpoint directly from the VM in the VNet and bypass the certificate validation, you are able to get a success response. However, when you try to access the same URL through APIM, you get an error indicating that the SSL/TLS secure channel could not be established.

    This error typically occurs when the SSL certificate presented by the server is not trusted by the client. In this case, it is possible that the self-signed certificate used by the BizTalk server is not trusted by the APIM instance.

    To resolve this issue, try Importing the self-signed certificate used by the BizTalk server into the trusted root certificate store on the APIM instance. This will allow the APIM instance to trust the certificate presented by the BizTalk server/Add a valid trusted root CA certificate that resolves to a Microsoft Trusted Root Participant list.

    https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-4xx-and-5xx-errors-with-azure-apim-services/ba-p/2115744

    try and let me know incase of further queries, I would be happy to assist you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.