Private CA, signed by Sectigo broke communication on Azure Web App multi-tenant

Question

Private CA, signed by Sectigo broke communication on Azure Web App multi-tenant

Hristijan Shurbeski 0

Hi,

I have an issue where my application loads a pfx file from the code and extracts the certificate from there, but the communication is not working with the external endpoint once we host the code on App Service, however it works from running the application from a local env.

The previous certificate was directly issued from Sectigo and back then everything was going smooth on App Service and the current one is from a private CA from a very trusted CA, Sectigo, where the communication with the external endpoint can not be done. Bellow is the code how we import the certificate from the code.

App Service is Multi tenant hosted.

Is there any specific reason why this new certificate which is not self-signed is not working on Azure Web App?

X509Certificate2 certificate = new X509Certificate2(_config.CertificateConfiguration.FilePath, _config.CertificateConfiguration.Password, X509KeyStorageFlags.MachineKeySet);

T User's image

Patchfox 4,176 Reputation points

2023-03-19T15:44:47.5066667+00:00

Hi Hristijan Shurbeski I want to help you with this problem.

Could you tell us, which CA provider provided the current cert files?

Did you follow the steps to create a .pfx file with the complete key chain (intermediates, root ...) ?

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#merge-intermediate-certificates
Hristijan Shurbeski 0 Reputation points

2023-03-19T16:10:58.45+00:00

Hi @Patchfox ,

The certificate files are provided by private CA from a trusted CA named Sectigo. The private CA name is named with the same name the as the organisation/company that purchased the cer file.

the certificate has root, intermediate and the certificate, all 3 parts in the chain

I didn’t do any changes on the app service, the code only uses the pfx which I upload in the source code and then I deploy it to the app service the code with the new pfx that contains the new cert. That is basically the procedure for renewing a cert

do you need some more insights?
Patchfox 4,176 Reputation points

2023-03-19T21:11:56.6766667+00:00

Thanks for the info. Could you tell us, what's your exact problem? What do you mean with "communication is not working" ?
Hristijan Shurbeski 0 Reputation points

2023-03-19T21:21:00.33+00:00

In my tenant I have this Web App which is basically an API that sends letters from a Service Bus queue to another API which is outside my tenant.

Before I changed the certificate the letters were sent successfully from the service bus queue, once I changed the certificate from a private CA signed by Sectigo all of the letters in the Service Bus queue were in the dead-letter queue. This is the communication break.

However if i start the API locally using the new certificate in debug mode I manage to send the letters to the external API.

So my question is, is it possible this certificate to work with multi tenant hosted web app? Because now we are sending the letters using the new certificate from a local env and not from Web App which is not the solution.

is there any steps i can take in order to make the API send letters from the service bis topic using the new cert?

I checked in application insights, for the API in my tenant i receive FAULTED error when calling the external API
Patchfox 4,176 Reputation points

2023-03-21T19:50:15.3833333+00:00

Sorry, to understand better, i ask again, the current provider of the certificate where the connections do not work is no longer sectigo, right?

If yes, which provider do you use now?
Hristijan Shurbeski 0 Reputation points

2023-03-30T09:48:15.5266667+00:00

Thank you both!

Perfect answer, that helps
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-30T19:17:17.03+00:00

@Hristijan Shurbeski , Glad you found the information helpful. If the answer helped (pointed you in the right direction) > please click Accept Answer

Much appreciate your feedback!

1 answer

Your answer

Patchfox 4,176 Reputation points

2023-03-19T15:44:47.5066667+00:00

Hi Hristijan Shurbeski I want to help you with this problem.

Could you tell us, which CA provider provided the current cert files?

Did you follow the steps to create a .pfx file with the complete key chain (intermediates, root ...) ?

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#merge-intermediate-certificates
Hristijan Shurbeski 0 Reputation points

2023-03-19T16:10:58.45+00:00

Hi @Patchfox ,

The certificate files are provided by private CA from a trusted CA named Sectigo. The private CA name is named with the same name the as the organisation/company that purchased the cer file.

the certificate has root, intermediate and the certificate, all 3 parts in the chain

I didn’t do any changes on the app service, the code only uses the pfx which I upload in the source code and then I deploy it to the app service the code with the new pfx that contains the new cert. That is basically the procedure for renewing a cert

do you need some more insights?
Patchfox 4,176 Reputation points

2023-03-19T21:11:56.6766667+00:00

Thanks for the info. Could you tell us, what's your exact problem? What do you mean with "communication is not working" ?
Hristijan Shurbeski 0 Reputation points

2023-03-19T21:21:00.33+00:00

In my tenant I have this Web App which is basically an API that sends letters from a Service Bus queue to another API which is outside my tenant.

Before I changed the certificate the letters were sent successfully from the service bus queue, once I changed the certificate from a private CA signed by Sectigo all of the letters in the Service Bus queue were in the dead-letter queue. This is the communication break.

However if i start the API locally using the new certificate in debug mode I manage to send the letters to the external API.

So my question is, is it possible this certificate to work with multi tenant hosted web app? Because now we are sending the letters using the new certificate from a local env and not from Web App which is not the solution.

is there any steps i can take in order to make the API send letters from the service bis topic using the new cert?

I checked in application insights, for the API in my tenant i receive FAULTED error when calling the external API
Patchfox 4,176 Reputation points

2023-03-21T19:50:15.3833333+00:00

Sorry, to understand better, i ask again, the current provider of the certificate where the connections do not work is no longer sectigo, right?

If yes, which provider do you use now?
Hristijan Shurbeski 0 Reputation points

2023-03-30T09:48:15.5266667+00:00

Thank you both!

Perfect answer, that helps
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-30T19:17:17.03+00:00

@Hristijan Shurbeski , Glad you found the information helpful. If the answer helped (pointed you in the right direction) > please click Accept Answer

Much appreciate your feedback!

Answer 1

Hristijan Shurbeski, Just checking in to see if you had got a chance to see the previous response.
As Patchfox suggested, please share more details about your requirement.

Based on the issue description. just to highlight - App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service, but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service.
(The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single-tenant.)

When an app hosted on Azure App Service, tries to connect to a remote endpoint over SSL, it is important that the certificate on remote endpoint service is issued by a Trusted Root CA. If the certificate on the remote service is a self-signed certificate or a private CA certificate, then it will not be trusted by the instance hosting your app and the SSL handshake will fail with this error:

'Could not establish trust relationship for the SSL/TLS secure channel'

In this situation, there are two solutions (based on your scenario/requirement):

Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.
- How to get a list of Trusted Root CA on App Service using Kudu
If the remote service endpoint certificate could not be changed or there is a need to use a private CA certificate, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store
- How to load your own CA certificate to the Trusted Root Store in ASE

Kindly check this Root CA on App Service article for more info. Kindly let us know, we will be more than happy to assist you.

Share via

Private CA, signed by Sectigo broke communication on Azure Web App multi-tenant

1 answer

Your answer