c# web api The SSL connection could not be established, see inner exception on external request

Renan Paiva 11 Reputation points
2023-02-15T02:48:12.81+00:00

Hi everyone,

My application works ok on my pc (classic) but after deployed to Azure Windows Web App I've stated to get the following error: The SSL connection could not be established, see inner exception. Authentication failed, see inner exception. The credentials supplied to the package were not recognized

This error occurs when my app try to request a rest api that uses mtls authentication.

User's image

I've tried to deploy on a VM at Azure and works, but isn't what I want.

Best regards,

Renan Paiva

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
{count} votes

1 answer

Sort by: Most helpful
  1. brtrach-MSFT 17,731 Reputation points Microsoft Employee Moderator
    2023-02-19T19:51:19.0633333+00:00

    This error message is indicating that the client certificate that your application is using to authenticate with the REST API is not being recognized. This could be due to a number of reasons, including incorrect certificate format, incorrect certificate chain, or incorrect certificate data.

    You can try the following steps to troubleshoot the issue:

    1. Validate that the certificate chain uploaded was in the right format (PEM) and that the certificate data was properly delimited.
    2. Check that the certificate file uploaded contained the certificate data in addition to the delimiters.
    3. Double check the certificate chain that was uploaded contained more than just the leaf certificate. The BasicConstraintsOid = "2.5.29.19" extension should be present and indicate the subject can act as a CA.
    4. Certificates uploaded must contain exactly one root CA certificate (and however many intermediate CA certificates as needed).

    You can find more information on troubleshooting mutual authentication on Azure Application Gateway in this link.

    If you are still facing the issue, you can try to access the client certificate in your app code and validate it. In App Service, TLS termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled, App Service injects an X-ARR-ClientCert request header with the client certificate. You can access the client certificate in your app code through a base64 encoded value in the X-ARR-ClientCert request header.

    You can find more information on how to access client certificate in Azure App Service in this link.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.