Azure invalid Cisco certificate issuer: not before overlap

Vincent Nikkelen MKB 21 Reputation points
2021-03-19T12:51:36.453+00:00

Our App Service (let's say APP. azurewebsites.net) is running on an P1V2 plan, .NET 3.1 and Windows in EUWE.

Since Wednesday 2021-03-17, 12:33 UTC we see one of our functions (lets say FUNC. azurewebsites.net) in the same VNet and plan emitting the following exception:

The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure.

Accessing APP from the public internet results in a valid certificate issued by Microsoft and valid till Sept 2021.

Accessing APP from our VNet results in the error (e.g. with Firefox)

Firefox does not trust APP. azurewebsites.net because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates. Error code: SEC_ERROR_UNKNOWN_ISSUER

On closer inspection, we see this is a different certificate:
Validity not before: Wed, 17 Mar 2021 11:00:13 GMT
Not after: Mon, 22 Mar 2021 11:00:13 GMT
Issuer: Cisco Umbrella Secondary SubCA ams-SG

Investigating the SubCA we see the following:
Validity not before: Wed, 17 Mar 2021 18:40:31 GMT
Not after: Sun, 28 Mar 2021 18:40:31 GMT

In other words, our problem started 12:33 GMT, probably because the new certificate was used (11:00 GMT) but signed with a sub certificate that isn't valid until 6 hours later !!!

How can we resolve this issue? We have seen something like this before in our development environment but didn't do any deeper investigation at that time. The problem was solved by itself (hinting at the same certificate issue).

More details on our subscription and the real applications are hidden for security reasons.

Thank you in advance.

Best regards,
Vincent

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,348 questions
0 comments No comments
{count} votes

Accepted answer
  1. brtrach-MSFT 15,791 Reputation points Microsoft Employee
    2021-03-20T00:39:09.957+00:00

    Hi Vincent,

    This Cisco Umbrella certificate is not coming from Azure.

    Most likely your client machine is in a network protected by Cisco Umbrella product. We suggest reaching out to Cisco for further support.

    Another option to resolve this issue is to bind a custom domain and add a SSL certificate (Free or App Service or any other certificate) so that you do not use .azurewebsites.net URL.

    Please note the last time we saw something like this, there was a Cisco Umbrella product on the companies corporate network and it was blocking .azurewebsites.net, and thus producing it's own cert for the site.

    Please review your network further to see what might be interfering. If you have exhausted all options and believe there to be an issue with Azure, please reply back and tag me in your response so I receive an email. We can take it further from there.


0 additional answers

Sort by: Most helpful