This error message is indicating that the client certificate that your application is using to authenticate with the REST API is not being recognized. This could be due to a number of reasons, including incorrect certificate format, incorrect certificate chain, or incorrect certificate data.
You can try the following steps to troubleshoot the issue:
- Validate that the certificate chain uploaded was in the right format (PEM) and that the certificate data was properly delimited.
- Check that the certificate file uploaded contained the certificate data in addition to the delimiters.
- Double check the certificate chain that was uploaded contained more than just the leaf certificate. The BasicConstraintsOid = "2.5.29.19" extension should be present and indicate the subject can act as a CA.
- Certificates uploaded must contain exactly one root CA certificate (and however many intermediate CA certificates as needed).
You can find more information on troubleshooting mutual authentication on Azure Application Gateway in this link.
If you are still facing the issue, you can try to access the client certificate in your app code and validate it. In App Service, TLS termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled, App Service injects an X-ARR-ClientCert request header with the client certificate. You can access the client certificate in your app code through a base64 encoded value in the X-ARR-ClientCert request header.
You can find more information on how to access client certificate in Azure App Service in this link.