Sending an HTTPS Request from an Azure Function to an external Web Service using a Certificate

Question

A hearty hello to everyone!

I have set up an Azure Function App (S1 SKU) and I am trying to use one of the functions as a client that sends an HTTPS-Request to another web server (API). I do this using the Powershell Cmdlet Invoke-RestMethod which I provide with a certificate in order to authenticate my request to the web server. (This certificate has been added to the trusted certificates of the web server's cert store.)

$cert = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name $certificateLabel
Invoke-RestMethod -Method 'GET' -URI $URI -Certificate $cert.Certificate

Where $cert.Certificate is a X509Certificate2 object. However, I am unable to establish trust between the two parties because the SSL validation yields: UntrustedRoot. Here is the exception I get when calling Invoke-RestMethod:

"The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot"

I understand why this occurs. Unlike classic servers, "serverless" Azure functions have no certificate store that checks for certificates for validity. Thus I cannot upload the trusted root and intermediate certificates.

How do I establish trust for the root and intermediate certificates in this case?

When presenting ChatGPT with this problem, it suggested implementing a custom ssl validation callback that handles the trust validation. But it also warned of using this in a production environment as the validation procedure should be carefully implemented.

Is there another workaround or a thorough guide for custom ssl validation callbacks?

Thank you very much for your time in advance!

Answer 1

Hi,

I've not tested it, but I believe if you import the certificate into your function app, make it accessible using WEBSITE_LOAD_CERTIFICATES=* setting, and then reference it using -CertificateThumbprint parameter, invoke-restmethod won't fail due to untrusted root.

In portal, browse to your function app, Certificates blade, and add your certificate. Once your certificate is imported you can go to Configuration blade - Application settings and add WEBSITE_LOAD_CERTIFICATES setting and set it to *

You would modify invoke-restmethod to be similar to below:

Invoke-RestMethod -Method 'GET' -URI $URI -CertificateThumbprint $certThumbprint

Below are articles that provide detailed information about importing/using certificates for your reference:

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#make-the-certificate-accessible

I did quick test by importing self-signed certificate into CurrentUser\My store and then called invoke-restmethod and it didn't throw exception. Based on the docs, this should (in theory) be equivalent to doing same thing in function with imported cert as I described above.

Please give it a try and let me know your results in a comment. If anything is unclear, let me know.

Thanks.

-TP

Answer 2

I suspect your .PKS file needs to not have a password on it. I say this because this is what I notice when importing the cert into my Windows computer from .pks store.

1. If the .pks has a password, I end up with the cert listed in my personal cert store.
2. If I remove the password from the .pks first, THEN when importing into my personal cert store, I will get 3 items imported: the root cert, the intermediary, and my site cert

So, that is interestig. So, therefore, if it's not working for you, maybe it's because the cert you uploaded to your vault has a password on it?