SSL Certification Error on App deployed on App service while connecting to Azure OpenAI

Question

I am writing to report an API connection error that I am currently experiencing. I have deployed an application to an app service in Azure, and it is connected to a virtual network (VNET) where Azure Open AI is configured as a private endpoint. However, when attempting to connect to Azure Open AI using the endpoint "https://xxxxxxsxsvasucvacxzxxxx.privatelink.openai.azure.com", I encounter the following error: Error Log:

2024-06-13T23:48:25.238818246Z Connecting to Azure Open AI with endpoint: https://xxxxxxxxxxxxxxxxxxxxx.privatelink.openai.azure.com   2024-06-13T23:48:25.238822646Z Get ready for the function call: Hello, I am getting bored   2024-06-13T23:48:25.238826746Z Unable to generate ChatCompletion response   2024-06-13T23:48:25.238830846Z Exception: Connection error.   2024-06-13T23:48:25.238834846Z Detailed exception: Traceback (most recent call last):   ...   ...   ...   2024-06-13T23:48:25.239007749Z httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ss-xxxxxxxxxxxxxxxxxxxxxxxasa.privatelink.openai.azure.com'. (_ssl.c:1007)  

  It seems that there is an issue with the SSL certificate verification, specifically with a hostname mismatch for 'https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.privatelink.openai.azure.com'. Could you please investigate and provide guidance on how to resolve this issue? I would appreciate any assistance or recommendations you can provide to help me resolve this API connection error.

Code:

from openai import AzureOpenAI 
   client = AzureOpenAI(
            azure_endpoint = os.getenv("AZURE_ENDPOINT") #Temp
            api_key= os.getenv("AZURE_OPENAI_API_KEY"),  
            api_version=os.getenv("CHAT_MODEL_API_VERSION"),       #"2024-02-01",
           #http_client = httpx_client
    )
    
    response = client.chat.completions.create(
                model=os.getenv('CHAT_MODEL_NAME'),
                messages=messages
            )
       

openai==1.23.6

Answer 1

@Nirmalsing Patil ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you have VNET Integrated an App Service and from this App Service, you are trying to connect to Private EndPoint of OpenAi service, which is in the same VNET.

I believe the error because you are using "xxxxxxsxsvasucvacxzxxxx.privatelink.openai.azure.com" instead of "xxxxxxsxsvasucvacxzxxxx.openai.azure.com"

• You should always use the hostname without the privatelink in it.
• The "privatelink" part of the hostname is something handled by default by Azure platform and you should not use them while defining endpoints within the code.

Can you update the endpoint as just "xxxxxxsxsvasucvacxzxxxx.openai.azure.com" and let us know how it goes?

In case that didn't help,

• Was this a new set up? Or you have a dev/lower environment where this is working
• Was this working with Public endpoint before you tried to use Private EndPoint
  • Or is it the case you never tried with public access and directly tried to use PE?
• Is there a VM in the same VNET where you can replicate the call?
  • So that we can isolate that the App Service is not the culprit.

Cheers,

Kapil