Share via

root certificate validation failed

R 0 Reputation points
2024-12-19T06:36:17.9333333+00:00

root certificate validation failed

Error:

{"code":"InvalidTemplateDeployment","message":"The template deployment 'Microsoft.ApplicationGateway-20241219114824' is not valid according to the validation procedure. The tracking id is 'fa2f097a-7c3b-44cb-809f-48aef3e78fca'. See inner errors for details.","details":[{"code":"ApplicationGatewayTrustedRootCertificateInvalidData","target":"/subscriptions/f72f76d8-1add-4c72-8764-9580067da1aa/resourceGroups/Free-Trail/providers/Microsoft.Network/applicationGateways/sites01-agw","message":"Data for certificate /subscriptions/f72f76d8-1add-4c72-8764-9580067da1aa/resourceGroups/Free-Trail/providers/Microsoft.Network/applicationGateways/sites01-agw/trustedRootCertificates/sites01-Backend_setting2a60660e-5efa-492a-bf09-b4ebbbf5b0aa is invalid.","details":[]}]}

###########

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator
    2024-12-19T09:00:13.5+00:00

    Hi @R,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    We think you're trying to configure your Application Gateway to trust a specific root certificate for backend server authentication. However, the data of this root certificate is somehow invalid in the context of the Application Gateway configuration.

    • Application Gateway expects trusted root certificates to be in .CER format, which is Base-64 encoded DER. This is a standard format for certificates.
    • Plese verify whether you are using Base-64 encoded DER or different format.
    • Open your certificate file (.cer) with a text editor and it should start with --BEGIN CERTIFICATE-- and end with --END CERTIFICATE--.
    • If it does not look like above, you might be using a different format like PFX, PEM.
    • If you want, you can convert it to .CER as below:
    • Conversion from PEM to CER by using Open SSL:   openssl x509 -in your_certificate.pem -outform der -out your_certificate.cer
    • You can extract the root certificate from PFX to PEM by using Open SSL:    openssl pkcs12 -in your_certificate.pfx -cacerts -nokeys -out ca_certs.pem
    • After extract, you can use the above command to convert it to CER.
    • After ensuring the certificate is in the correct format, try re-uploading it to the Application Gateway backend setting.
    • If you're using an ARM template, make sure you're providing the Base-64 encoded data correctly in your template.
    • Sometimes, copy-pasting certificate data can introduce invisible or special characters that corrupt the data.
    • Also verify the activity logs of the Azure Application Gateway, filter the logs by the time of the error, which will give more context about the issue.
    • Make sure that the backend pool associated with this backend setting is using HTTPS and that the backend servers are presenting certificates signed by the CA whose root certificate you're trying to upload.

    For your Reference: https://learn.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication

    https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-certificate-management

    Kindly let us know if the above helps or you need further assistance on this issue.

    Thanks,

    Sai.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.