Front Door standard Stricter validation of origin/backend testing

Question

Front Door standard Stricter validation of origin/backend testing

Brandon Sandlin 5

I received an email regarding the "Stricter validation of origin/backend certificates in Azure Front Door and CDN starting 17 April 2023" with some steps to verify that a full chain is always returned. In the example, it shows the following:

Example Command for Windows (powershell)

echo "" | openssl s_client -connect www.openssl.org:443 -verify 3 | Select-String -Pattern "depth=([^\s]+)\s+CN\s=\s*([^\s]+)" -AllMatches | % { "{0} CN = {1}" -f $.Matches[0].Groups[1].Value, $.Matches[0].Groups[2].Value }*

Expected output

This command samples the openssl.org website, checking the depth of 3 certificates in chain and its output looks like this:

verify depth is 3

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R3

verify return:1

depth=0 CN = www.openssl.org

verify return:1

DONE

The issue that I have is that I am not getting the result that the example shows. When I run the command, I am receiving "verify error:num=20:unable to get local issuer certificate". Does this indicate that there is an issue with the full chain being returned? Below is the complete output.

verify depth is 3

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R3

verify return:1

depth=0 CN = www.openssl.org

verify return:1

DONE

When I am testing for on own custom domains, I am seeing results very similar to what I receive when I do the test with openssl.org.

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-03-27T23:28:39.54+00:00

@Brandon Sandlin

Welcome the Microsoft Q&A forum.

The error described above (verify error:num=20:unable to get local issuer certificate) usually occurs when intermediate certificate is missing from the chain. These are the certificate requirements for Azure Front Door. Can you please confirm if you have bundled and uploaded the complete chain of certificates? as shown here

If this does not help, can you please confirm if you are using AFD managed certificate or your own certificate? Thank you!
Brandon Sandlin 5 Reputation points

2023-03-28T12:05:30+00:00

For my initial question, I am just trying to perform the test that Microsoft provided as an example. The output that I receive does not match what they say I should receive. So my initial question is what should the output look like if not their example?

I am using the AFD managed certificate for my own custom domains.
Brandon Hunt 5 Reputation points Microsoft Employee

2023-03-30T19:21:53+00:00

@Brandon Sandlin Looks like only the Root is missing. Is your Origin IIS / WebApp?

openssl s_client -connect <IP>:<port> -servername hostname.com -showcerts

^What's your output when you input this?
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-04-04T02:58:09.6933333+00:00

@Brandon Sandlin Just following up here to see if you were able take a look at Brandon's comment above. Thank you!
Brandon Sandlin 5 Reputation points

2023-04-06T16:16:58.48+00:00

@ChaitanyaNaykodi-MSFT @Brandon Hunt

Sorry for the delay, even though I am following and have set to receive emails, I haven't gotten any notifications. I am just trying to duplicate the test that MS told me to do in their email, so at this point, I am not even looking at my own subscription. I just ran this, as per your recommendation:

openssl s_client -connect www.openssl.com:443 -servername openssl.com -showcerts and I did receive an initial error: CONNECTED(000001D0) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = automation.openssl.org verify return:1 ---............. I guess I dont understand why an example that was sent does not pass as the email says it should. And, if this failure is not a indicative of an issue, how can I test my backends to ensure there will not be an issue on 4/17/2023?
Brandon Hunt 5 Reputation points Microsoft Employee

2023-04-06T18:58:32.6033333+00:00

@Brandon Sandlin The answer is sort of longwinded, but TLDR: Try using Ubuntu or the "Git for Windows" installation instead of where I assume you obtained your Windows openSSL client (I went to the same place): https://slproweb.com/products/Win32OpenSSL.html Longer answer: I got here by seeing a few forums discussions mentioning having to supply a local .cer to complete the chain verification. EVERY known good site on the Internet seemed to throw this error num 20. Checked "man" documentation on OpenSSL website, tried using "-verify_return_error" parameter to see what the holdup is. See attached for that verbose output. So, OK, it's looking for a "crypto store" folder to load, which isn't there. It's true. It's not there on my Install. I caught that that is part of the Release build directories when you download the .tar.gz from the Github... So I try Ubuntu. Ubuntu does not return this error as I assume it is able to refer to this crypto store. I found another method to download "Git for Windows" and access the OpenSSL client from the C:\Program Files\Git\usr\bin directory. Works fine.

Reference for Git for Windows: https://stackoverflow.com/questions/50625283/how-to-install-openssl-in-windows-10
Site for Git for Windows: https://gitforwindows.org/ Another way to Install, per the INSTALL.md found in the official release .tar.gz also attached, is via "nmake install" in Visual Studio. Perhaps that will install a complete directory with the "crypto store" as well. I have not tried this method though.

This should help. Let me know.
Brandon Sandlin 5 Reputation points

2023-04-07T15:47:26.29+00:00

@Brandon Hunt Thank you! I already had GIT installed and was able to confirm that the full chain is returned on my own endpoints. This is the result that I get now when running the command per MS recommendations:

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-03-27T23:28:39.54+00:00

@Brandon Sandlin

Welcome the Microsoft Q&A forum.

The error described above (verify error:num=20:unable to get local issuer certificate) usually occurs when intermediate certificate is missing from the chain. These are the certificate requirements for Azure Front Door. Can you please confirm if you have bundled and uploaded the complete chain of certificates? as shown here

If this does not help, can you please confirm if you are using AFD managed certificate or your own certificate? Thank you!
Brandon Sandlin 5 Reputation points

2023-03-28T12:05:30+00:00

For my initial question, I am just trying to perform the test that Microsoft provided as an example. The output that I receive does not match what they say I should receive. So my initial question is what should the output look like if not their example?

I am using the AFD managed certificate for my own custom domains.
Brandon Hunt 5 Reputation points Microsoft Employee

2023-03-30T19:21:53+00:00

@Brandon Sandlin Looks like only the Root is missing. Is your Origin IIS / WebApp?

openssl s_client -connect <IP>:<port> -servername hostname.com -showcerts

^What's your output when you input this?
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2023-04-04T02:58:09.6933333+00:00

@Brandon Sandlin Just following up here to see if you were able take a look at Brandon's comment above. Thank you!
Brandon Sandlin 5 Reputation points

2023-04-06T16:16:58.48+00:00

@ChaitanyaNaykodi-MSFT @Brandon Hunt

Sorry for the delay, even though I am following and have set to receive emails, I haven't gotten any notifications. I am just trying to duplicate the test that MS told me to do in their email, so at this point, I am not even looking at my own subscription. I just ran this, as per your recommendation:

openssl s_client -connect www.openssl.com:443 -servername openssl.com -showcerts and I did receive an initial error: CONNECTED(000001D0) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = automation.openssl.org verify return:1 ---............. I guess I dont understand why an example that was sent does not pass as the email says it should. And, if this failure is not a indicative of an issue, how can I test my backends to ensure there will not be an issue on 4/17/2023?
Brandon Hunt 5 Reputation points Microsoft Employee

2023-04-06T18:58:32.6033333+00:00

@Brandon Sandlin The answer is sort of longwinded, but TLDR: Try using Ubuntu or the "Git for Windows" installation instead of where I assume you obtained your Windows openSSL client (I went to the same place): https://slproweb.com/products/Win32OpenSSL.html Longer answer: I got here by seeing a few forums discussions mentioning having to supply a local .cer to complete the chain verification. EVERY known good site on the Internet seemed to throw this error num 20. Checked "man" documentation on OpenSSL website, tried using "-verify_return_error" parameter to see what the holdup is. See attached for that verbose output. So, OK, it's looking for a "crypto store" folder to load, which isn't there. It's true. It's not there on my Install. I caught that that is part of the Release build directories when you download the .tar.gz from the Github... So I try Ubuntu. Ubuntu does not return this error as I assume it is able to refer to this crypto store. I found another method to download "Git for Windows" and access the OpenSSL client from the C:\Program Files\Git\usr\bin directory. Works fine.

Reference for Git for Windows: https://stackoverflow.com/questions/50625283/how-to-install-openssl-in-windows-10
Site for Git for Windows: https://gitforwindows.org/ Another way to Install, per the INSTALL.md found in the official release .tar.gz also attached, is via "nmake install" in Visual Studio. Perhaps that will install a complete directory with the "crypto store" as well. I have not tried this method though.

This should help. Let me know.
Brandon Sandlin 5 Reputation points

2023-04-07T15:47:26.29+00:00

@Brandon Hunt Thank you! I already had GIT installed and was able to confirm that the full chain is returned on my own endpoints. This is the result that I get now when running the command per MS recommendations:

Answer 1

@Brandon Hunt had the answer for me. Pointing me to the correct installation of openSSL, as the install I used originally would not work.

The answer is sort of longwinded, but TLDR: Try using Ubuntu or the "Git for Windows" installation instead of where I assume you obtained your Windows openSSL client (I went to the same place): https://slproweb.com/products/Win32OpenSSL.html Longer answer: I got here by seeing a few forums discussions mentioning having to supply a local .cer to complete the chain verification. EVERY known good site on the Internet seemed to throw this error num 20. Checked "man" documentation on OpenSSL website, tried using "-verify_return_error" parameter to see what the holdup is. See attached for that verbose output. So, OK, it's looking for a "crypto store" folder to load, which isn't there. It's true. It's not there on my Install. I caught that that is part of the Release build directories when you download the .tar.gz from the Github... So I try Ubuntu. Ubuntu does not return this error as I assume it is able to refer to this crypto store. I found another method to download "Git for Windows" and access the OpenSSL client from the C:\Program Files\Git\usr\bin directory. Works fine. Reference for Git for Windows: https://stackoverflow.com/questions/50625283/how-to-install-openssl-in-windows-10
Site for Git for Windows: https://gitforwindows.org/ Another way to Install, per the INSTALL.md found in the official release .tar.gz also attached, is via "nmake install" in Visual Studio. Perhaps that will install a complete directory with the "crypto store" as well. I have not tried this method though.

Share via

Front Door standard Stricter validation of origin/backend testing

1 answer

Your answer