Logic Apps failed API Get request when using HTTP connector with the message "Could not establish trust relationship for the SSL/TLS secure channel”

AMJ 6 Reputation points
2021-01-14T12:25:40.77+00:00

When calling Api using HTTP connector (GET method) from Azure Logic App the following message was popped up:

BadRequest. Http request failed with status code 'TrustFailure' and status message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'.

The same URL returned correct message in browsers and Postman as below (XML format):

The URL did not require authentication. Why did the same URL worked in browsers (and postman) fail to generate a result in HTTP connection of the Logic App? How to overcome the "SSL/TLS" issue in Logic App?

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,888 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,692 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. MayankBargali-MSFT 69,416 Reputation points
    2021-01-15T05:16:25.26+00:00

    Hi @AMJ

    Welcome to Microsoft Q&A! Thanks for posting the question.

    The error will be observed in the scenario where there is an issue with the certificate at your configured HTTP endpoint or you are using self-sign certificate in multi tenant environment. If you want to use self sign certificate then the logic app should be in ISE. Please review Access for outbound calls to other services and systems for more details on TLS/SSL issue.

    In my scenario, I was able to reproduce the issue as the certificate was expired.

    Logic App Workflow :

    56870-image.png

    Error:

    56966-image.png

    Hope the above helps and you are able to find the cause of the issue by verifying the certificate of your HTTP endpoint.
    Feel free to get back to me if you need any assistance.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments No comments

  2. AMJ 6 Reputation points
    2021-01-18T02:31:37.84+00:00

    Hi @MayankBargali-MSFT

    Thank you so much for your response, really appreciated.

    It was neither an issue with the certificate at my configured HTTP endpoint nor I was using a self-sign certificate in multi tenant environment. But I did make an internal api call to my company. That explained the call went through with my browsers/Postman which still got valid SSL/TLS.

    ISE is an interesting topic which needs to be injected into VNet in the first place. Unfortunate I was using public cloud upon which PaaS was built. As such I couldn't test out. I may have to ditch logic apps solution to request an xml document.

    Instead, I was thinking to use data factory to make a REST api call and save the document id in the data lake with an xml format. Then extract the document id, parse it if required, integrate the document id to the actual url to get the document file back. Any light to shed?

    Regards


  3. AMJ 6 Reputation points
    2021-01-18T13:59:21.923+00:00

    Hi @MayankBargali-MSFT ,

    Very glad to hear from you again. Of course I'd be delighted to find out the cause of SSL/TLS error. So far I had tried

    • Basic authentication
    • Client certificate (with pfx base64 string and password)
    • Managed identity (turn on logic app identity)

    All came back with same error message as the one you displayed in your previous message. It seemed all made sense as logic app was in global scope and the url called was in private scope. I even made a data gateway (shared with power bi gateway), but http connector couldn't reference the gateway (all other storage could, such as sql server, sharepoint, data lake). I would think ISE was the only way to succeed. Like I mentioned before there would be lots of overhead in order to use ISE, such as creating VNet, subnets, security groups so on. It would be so grateful if you could confirm what I thought was correct.

    On the other hand using data factory needs rest api calls (with self-hosted gateway installed in the first place), which could only return json not xml. Unfortunately my request would return xml (job id), then another request would return xml document. Postman may be another option. It would be great if you could help to get my head around on how to request a private api and deal with xml response. I have been reading MS documents trying to find a way out. So far I do not have a clear direction.

    Regards


  4. AMJ 6 Reputation points
    2021-01-23T03:00:30.967+00:00

    Hi @MartinJaffer-MSFT ,

    That was very cool of you to extract out the job id in the example, appreciated.

    The question now is how to store the Api response output into a parameter in the first place. Please refer to the attached files.

    Eventually the job id cut out will be served as a query parameter to another URL which will return an XML document. So the ultimate question would be how to store the response in a format of xml from a REST Api call in a Web activity to a data lake storage.

    From this link (listed below)

    https://learn.microsoft.com/en-us/azure/data-factory/control-flow-web-activity

    I extracted out "REST endpoints that the web activity invokes must return a response of type JSON. " In other words the response I got back from Web Rest Api call in xml format was useless, could not be processed any further.

    All I want is a Rest api call to return an xml document from an on-prem server. I have tried all I could from the list below:

    • Logic app with a gateway (shared with power bi gateway), neither HTTP connector nor Custom Connector would allow me to do so;
    • Azure Data Factory with a separate gateway , neither Web activity nor Rest dataset would take in Rest Api Xml (Rest Api must be in Json format)
    • ISE would require to upgrade my current PaaS to IaaS. There would be lots of overhead and cost could be another concern. So I haven't tried ISE yet.
    • Postman. I could easily get my xml response (job id and document). The question would be how to store the response in Postman to Azure Data Lake?

    Please let me know if you had any brainstorm on the matter, gratefully appreciated.

    59753-01-api-pipeline.png59670-02-response-output.png


  5. AMJ 6 Reputation points
    2021-02-01T00:36:24.027+00:00

    Hi @MayankBargali-MSFT ,

    Custom Connector in Logic App can deal with REST OpenAPI file. In my case it was an on-prem API (not OpenAPI) which could possibly explain why it failed using Custom Connector though a gateway was established.

    Then I turned around to ADF, which returned a legit JSON response with XML (job id) embedded in a string as shown in my previous message.

    Now the question is 1). How to consume the JSON response requested via WEB activity; or 2). Instead of using WEB activity to request why not use a COPY activity with a REST dataset to save the JSON response to a .json file in a data lake?

    All seemed make sense. Prior to using COPY activity I used a JSON validator to make sure the response from WEB activity was valid and it did.

    After running the COPY activity I got the message as below:

    Failure happened on 'Source' side. ErrorCode=JsonInvalidDataFormat,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Error occurred when deserializing source JSON file ''. Check if the data is in valid JSON object format.,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Newtonsoft.Json.JsonReaderException,Message=Unexpected character encountered while parsing value: <. Path '', line 0, position 0.,Source=Newtonsoft.Json,'

    Could you please tell me what it complained about? Was that because the embedded XML string which started with the symbol "<" though it had passed a JSON validator?

    Thanks for reminding me to raise a ticket to Microsoft. I do have the permission and authority to raise a ticket to Microsoft as a Chief Azure Data Engineer in my organisation. I'd like to wait until all possible solutions exhausted.