SSL Handshake Fail error 525 in Application Gateway

Rajat Srivastava 40

Hi,

So I have two function app (1 for prod and 1 for test environment). Application Gateway is supposed to expose those function app.

I have created Listener, rules etc for the Test function App. The listener type is multi-site and a valid SSL certificate is uploaded in the Key vault which is pointed by the Application Gateway. The backend settings are supposed to override the hostname and pick the hostname from backend. Cloudflare has the A record entry to point the domain name to the public IP of the App Gateway. The Test env is working fine.

However, for the Prod env, I have the exact same configurations, with a different hostname, a different SSL certificate (created using the same process) and a different backend pool. But I am getting SSL Handshake Fail error 525. I have tried re-uploading the certificate and re-creating the listener. But nothing seems to work.

Can anyone help me troubleshoot this issue?

Luke Murray 11,091 Reputation points MVP

2024-07-12T08:16:32.95+00:00

What is the Cloudflare SSL setting for Prod, and is it a different configuration to dev?

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/
Rajat Srivastava 40 Reputation points

2024-07-12T10:44:09.2666667+00:00

Hi @Luke Murray ,

Thanks for your response.

The configurations are exactly similar for both the environment. Even the certificates for both the environments were procured using the same exact process (and issued from the same CA)
Luke Murray 11,091 Reputation points MVP

2024-07-12T10:47:45.9266667+00:00

Application Gateways wants you to use Access Policies over RBAC, so make sure you're using Access policies; if you are, then the certificate details should pass through, I had a similar issue recently with a customer, also make sure that the Key Vault firewall allows access from the App Gateway.
Rajat Srivastava 40 Reputation points

2024-07-12T10:52:28.4133333+00:00

I am using access policy in Key Vault and have proper permissions configured for Application Gateway Managed Identity (For Secret and Certificate both).

As I mentioned, the configurations are exactly same for both the environment however the prod env is failing but test seems to be working fine without any issue.
Luke Murray 11,091 Reputation points MVP

2024-07-12T10:58:03.1233333+00:00

On the Application Gateway, go to: Diagnose and solve problems

Select End to End SSL Offload

Select Configure End to End SSL

Type in your URL and click Run Diagnostics, it will check the SSL certificate settings and chains.
Rajat Srivastava 40 Reputation points

2024-07-17T10:50:18.1733333+00:00

Hi @Luke Murray ,

Just tried digging into the 'Diagnose and solve problems' tab.

I tried testing the 'End to End SSL or SSL offload. That failed for the Prod and Test listeners both (even though I am able to access the functions via the Test Listener).

The back end setting has 'Over-ride with new Host Name' selected, since we needed to have the same domain name attatched on another Function App which will be accessed directly (without routing to Application Gateway). The check might be failing because of this reason.

Also, the internal DNS server has entries pointing the domain name to the function app instead of the App Gateway IP (since we need to access the function app directly from internal network and via Application Gateway for public traffic, as I mentioned earlier)
Luke Murray 11,091 Reputation points MVP

2024-07-17T19:58:04.89+00:00

Have you linked the private DNS zones to the same VNET as the App Gateway?

ou may need to add in the root cert from your backends as well (Create certificates to allow the backend with Azure Application Gateway), if your doing mTLS.
Rajat Srivastava 40 Reputation points

2024-07-30T12:50:48.4866667+00:00

Hi @Luke Murray ,

We are using Internal DNS servers (with A record Entries) and no Private DNS Zones. The DNS resolution seems to be okay since all other services (including Function App and VMs) are able to access the Key Vault. We also found out that making the Key Vault public solves the problem. But I am not sure how is it possible that everything else in the VNET is able to access the Key Vault except for Application Gateway.
Luke Murray 11,091 Reputation points MVP

2024-07-31T06:25:33.61+00:00

Hi, Rajat

Do you have the Service Endpoint for KeyVault enabled for the App Gateway subnet and trusted Microsoft services set?

Its a bit 'finicky' have a look at here: Verify Firewall Permissions to Key Vault
Rajat Srivastava 40 Reputation points

2024-07-31T11:00:08.9166667+00:00
Hi @Luke Murray ,

Thanks for you help so far.

I did try enabling service endpoint in my demo environment, but I did not enable "Allow trusted microsoft services...." option in the Key Vault Firewall. It did not work in this configuration.

Maybe I'm missing out something but why would I need both Service Endpoints and "Allow Trusted Microsoft Services..." option enabled at the same time? Should either of the options not suffice the resolution of the problem?

Also, about the Key Vault private endpoint DNS resolution issue, is it documented as limitation by Microsoft as a limitation/consideration. All I could find was a thread where people faced the similar issue, but no Microsoft documentation stating this out as a limitation/consideration.

1 answer

Pinaki Ghatak 4,690 Reputation points Microsoft Employee

2024-07-12T09:38:46.85+00:00

Hello @Rajat Srivastava

Firstly, let's understand what this error means. Error 525 occurs when the SSL handshake between the client and the server fails.

This can happen due to various reasons such as an invalid SSL certificate, incorrect SSL configuration, or firewall blocking the SSL connection.

Since you have already tried re-uploading the certificate and re-creating the listener, let's try to narrow down the issue.

Can you please confirm if the SSL certificate for the production environment is valid and issued by a trusted Certificate Authority (CA)? You can check this by opening the certificate and verifying the details.

Also, please check if the backend pool for the production environment is configured correctly and the function app is accessible from the backend pool IP address or FQDN.

If the SSL certificate and backend pool are configured correctly, then it could be a firewall issue.

Please check if any firewall is blocking the SSL connection between the client and the server. Additionally, you can try enabling diagnostic logging for the Application Gateway to get more information about the error. You can find the logs in the Azure portal under the Application Gateway's Monitoring section.

I hope this helps
Please sign in to rate this answer.
Rajat Srivastava 40 Reputation points

2024-07-12T10:41:25.84+00:00

Hi, @Pinaki Ghatak

Thanks for your response.

The certificate is perfectly valid. I tried binding the same certificate to a function app (to confirm that I have a valid certificate) and it was working fine, I got no error.

The back end pool are shown 'healthy' in the Application Gateway and The function App in the back end pool is up and running fine (tried accessing it internally).

The certificate is issued by GoDaddy and was procured in the exact same way as the certificate for Test Environment (which is working fine). The validity of both the certificate is until September.

However, one strange thing that I noticed -

In the Application Gateway > Listeners > (Listener TLS certificate tab),

I could see both the certificates (pointed in two different Key Vaults, one for prod and one for test). The prod certificate (the one having the issue, apparently) did not have any expiration date in the expiration date column. The Test certificate (which is working) had the expiration date. In the Key Vault however, I could see the expiration date along with other details for the prod certificate as well. Not sure if it was a glitch or what.

Luke Murray 11,091 Reputation points MVP

2024-07-12T10:46:23.06+00:00

Application Gateways wants you to use Access Policies over RBAC, so make sure your using Access policies, if you are then the certificate details should pass through.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SSL Handshake Fail error 525 in Application Gateway

1 answer

Your answer