Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
614 questions
TLS Inspection causes error when used with internal web server: ''Error message 'x509: certificate signed by an unknown authority' displayed when using TLS Inspection with internal web server''
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 75%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Love Arinze
156
Reputation points
Question: When attempting to connect to a private, internal web server with a private certificate (signed by our internal CA) through a rule with TLS Inspection enabled, the browser displays the error message 'x509: certificate signed by an unknown authority.' The issue is specific to internal websites within my client's organization, as external websites work fine under TLS Inspection. The client's certificate appears valid and has a proper path back to our Root CA. Can you provide guidance on resolving this error?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee2023-07-25T01:09:03.58+00:00 Thank you for reaching out.
Based on the troubleshooting doc here
- Ensure the Root CA certificate is installed on client operating system.
- Ensure the browser or HTTPS client contains a valid root certificate. Firefox and some other browsers may have special certification policies.
- You can also try using a different browser as it might be a browser related issue.
You can refer to this POC document to determine if there was any missed step.
-
Love Arinze 156 Reputation points
2023-07-26T13:41:47.8833333+00:00 Thank you for your feedback.
I have tried those steps, and I didn't miss any.I repeated the test with a newly deployed Windows 2019 Server VM as the client machine (xc) and I have got the same result as the original client (xy).
To summarize the findings:
When accessing the internal website (a test IIS instance with HTTPS bound to port 443 and a PKI issued certificate, hosted on xy), everything appears normal, and the default IIS webpage over HTTPS (port 443) is displayed when TLS Inspection is not enabled.
However, as soon as TLS Inspection is enabled for the rule (without any other changes), the "client" browser shows an error message "x509: certificate signed by unknown authority" instead of displaying the default webpage.
Surprisingly again, with the exact same setup, TLS Inspection enabled, using the same Firewall, and from the same client, access to an external website like [www.microsoft.com] works as expected, showing the website contents.
In both cases, the certificate issued by the Intermediate Firewall CA is displayed as having a valid path.
-
ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
2023-07-27T16:21:40.6066667+00:00 Thank you for providing the details above.
To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID
Please let me know once you have done the same.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 71%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Jacob A 0 Reputation points2023-11-14T05:09:34.08+00:00 The problem appears to be the Azure Firewall (TLS Inspection App Proxy) doesn't trust the Internal CA. It is not immediately obvious how to add your organization's PKI Root and Intermediates to the Firewall Policy to fix this.
Sign in to comment