Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
584 questions
Azure Front Door will sometimes only deliver a certificate after repeated requests
Martin Haug
36
Reputation points
I have configured Azure Front Door to deliver HTTPS-encrypted traffic on my Apex Domain.
However, both I and some of my customers sometimes observe that the server will not offer a TLS certificate upon establishing the connection. For a customer, this can mean that they are not able to use my website at all. Instead, the pageload will fail with PR_END_OF_FILE_ERROR in Firefox or other, similar error codes in other browsers.
This can be verified by running openssl s_client -port 443 typst.app where typst.app is my Apex Domain, for example in an Azure Cloud Shell. If the request fails, the output looks like this:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 303 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
When repeatedly calling the command after receiving this error, the server will start delivering a certificate as expected:
CONNECTED(00000006)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = "DigiCert, Inc.", CN = GeoTrust Global TLS RSA4096 SHA256 2022 CA1
verify return:1
depth=0 CN = typst.app
verify return:1
---
Certificate chain
0 s:CN = typst.app
i:C = US, O = "DigiCert, Inc.", CN = GeoTrust Global TLS RSA4096 SHA256 2022 CA1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 7 00:00:00 2023 GMT; NotAfter: Jan 7 23:59:59 2024 GMT
1 s:C = US, O = "DigiCert, Inc.", CN = GeoTrust Global TLS RSA4096 SHA256 2022 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: May 4 00:00:00 2022 GMT; NotAfter: Nov 9 23:59:59 2031 GMT
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 10 00:00:00 2006 GMT; NotAfter: Nov 10 00:00:00 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHfzCCBWegAwIBAgIQBcpPD/igtIC6+P4kvvfXzTANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT
(remaining certificate omitted)
-----END CERTIFICATE-----
subject=CN = typst.app
issuer=C = US, O = "DigiCert, Inc.", CN = GeoTrust Global TLS RSA4096 SHA256 2022 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4878 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: (redacted)
Session-ID-ctx:
Master-Key: (redacted)
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1699480538
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
How can I address this issue so that the certificate is always delivered?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee2023-11-09T02:06:13.31+00:00 Thank you for reaching out.
To troubleshoot the exact issue I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.
Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID
Please let me know once you have done the same.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
Luke Chadwick 0 Reputation points2023-11-09T07:41:26.31+00:00 As the customer we've been seeing something similar. In two incidents on the 6th and 8th we've had issues connecting to a provider API in node it was manfesting like
TypeError: fetch failed at Object.fetch (node:internal/deps/undici/undici:11372:11) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async fetchWithAccessToken (/app/apps/platform/.next/server/chunks/4138.js:768:21) at async Module.getSalesOrder (/app/apps/platform/.next/server/chunks/4138.js:877:17) at async buildCheckSalesOrder (/app/apps/platform/.next/server/chunks/4634.js:813:31) at async cachePaymentMethods (/app/apps/platform/.next/server/pages/api/trpc/[trpc].js:2078:22) at async /app/apps/platform/.next/server/pages/api/trpc/[trpc].js:2113:13 at async resolveMiddleware (file:///app/node_modules/.pnpm/@trpc+server@10.0.0-rc.1/node_modules/@trpc/server/dist/index.mjs:383:30) at async callRecursive (file:///app/node_modules/.pnpm/@trpc+server@10.0.0-rc.1/node_modules/@trpc/server/dist/index.mjs:419:32) at async next (file:///app/node_modules/.pnpm/@trpc+server@10.0.0-rc.1/node_modules/@trpc/server/dist/index.mjs:427:32) { cause: Error: read ECONNRESET at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) { errno: -104, code: 'ECONNRESET', syscall: 'read' } }When trying with curl, I got:
curl --insecure -vvI https://REDACTED.domain * Trying REDACTED.REDACTED.REDACTED.REDACTED:443... * TCP_NODELAY set * Connected to REDACTED.domain (REDACTED.REDACTED.REDACTED.REDACTED) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: Connection reset by peer in connection to REDACTED.domain:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to REDACTED.domain:443Like you it was behaving intermittently.
As of about 5 hours ago this is no longer happening for us, but given that it also occurred 2 days ago I'm not holding my breath.
Obviously can't guarantee this is/was the same issue. But figured it was worth mentioning given the timing.
-
Martin Haug 36 Reputation points
2023-11-09T10:17:18.1+00:00 Similarly to what @Luke Chadwick described in the answer below, we cannot currently observe this issue.
-
Luke Chadwick 0 Reputation points
2023-11-09T12:10:35.3066667+00:00 It's now started happening for me again. Just got alerted by our healthcheck. This time tested with openssl as @Martin Haug has been above.
openssl s_client -port 443 REDACTED.domain CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 309 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---Subsequent attempts from my Amazon server seem to load the certificate.
This behaviour occurs across multiple servers, multiple Amazon VPCs, and multiple providers (I have tested on Digital Ocean as well).
Edit: Also for Martin's info, it's not happening on an APEX domain (I'm redacting the domain because it's not my API, but it's a subdomain)
-
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
2023-11-14T08:14:40.5566667+00:00 Thank you for getting back. If you are still facing this issue. Can you please send an email to us as requested above? Or please let us know if you have opened a support request for this issue.
-
ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
2023-11-16T02:38:38.8166667+00:00 Just following up here to see if you were able take a look at my comment above. Thank you!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 62%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Setthawut Janarphorn 0 Reputation points2024-02-17T12:00:43.4266667+00:00 @Martin Haug @Luke Chadwick Hello, Can you guys update, how was going ?. Lately i got Error "Connection Reset by Peer" too. That URL using for mobile device connect to AFD CDN and endpoint to storage account. Sometime Mobile device connect to AFD CDN and got "Connection Reset by Peer". look like don't have any logs in "FrontDoorAccessLog" so there is no way I can investigate the issue using logs. I try using url command and sometime got logs im not sure is the same with you guys.
* Connected to cdn.xxxxxxxdomain.com (13.107.xxx.xxx) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): } [330 bytes data] * (304) (IN), TLS handshake, Server hello (2): { [102 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [4408 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [333 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.xxxxxxxdomain.com:443 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0 * Closing connection curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cdn.xxxxxxxdomain.com:443
Sign in to comment