Azure App Service Root CA clarification

Adam Riddick 1 Reputation point
2022-04-06T09:03:41.327+00:00

Hi,

We're experience an issue with an app hosting in Azure App Service (S1) with our SSO login (OAuth2/OIDC), whereby the remote certificate is not trusted.

When attempting to reach the well-known configuration endpoint of the authorization server, we get the error "The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure".

The remote certificate is issued by "Go Daddy Secure Certificate Authority - G2", which is the same issuer as the certificate used by our app running in Azure App Services and purchased through Azure.

Checking the root CA's list for app services, I can see that "Go Daddy Secure Certificate Authority - G2" is not present.

As we're not running on an isolated plan, we can't add custom certificates - though this isn't desirable anyway.

The list of trusted root CA's appears to be a vastly trimmed down version of the Microsoft Trusted Root Certificate Program, which doe sinclude GoDaddy Root Certificate Authority - G2.

Why do these lists differ, and is there anything can we do to resolve this, or better yet, to get those lists in sync?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,155 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ajkuma 23,641 Reputation points Microsoft Employee
    2022-04-07T13:51:51.66+00:00

    AdamRiddick-5896, Thanks for posting this good question.

    I'm not sure if you have checked this doc Root CA on App Service already.

    Just to highlight, App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service (as in your case), but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service.

    --(The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single-tenant.)

    Yes, as you mentioned, when an app hosted on Azure App Service, tries to connect to a remote endpoint over SSL, it is important that the certificate on remote endpoint service is issued by a Trusted Root CA.

    So, in this case - There are two solutions (as mentioned in the doc'):

    1.Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.

    2.If the remote service endpoint certificate could not be changed, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store

    Kindly let us know, I'll follow-up with you further. Thanks for your patience!


  2. Guillermo Bandres Magallon 1 Reputation point
    2022-12-21T16:47:03.12+00:00

    Hi, I recently run into this issue with Azure App Services, my App Service connects to a backend that is issued by Go Daddy, and it is not working because Go Daddy Root CA is not added on /localmachine/root certs. I don't have any NSG blocking any traffic, is there any option to fix it or update Root CA certificates for Azure App Services multitenant?

    Thank you!

    0 comments No comments