APIM and SF backend with trusted certificate resloves in "Could not establish trust relationship for the SSL/TLS secure channel"
Question
Wednesday, September 27, 2017 12:58 PM
Hi, we are using Azure API Management to call a Service Fabric back-end. The Service Fabric back-end has a certified server certificate installed. We get this error:
service-fabric-backend (26.751 ms)
{
"messages": [
"Error occured while calling backend service.",
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
"The remote certificate is invalid according to the validation procedure."
]
}
So I guess it has to be something with the certificate? The policy in APIM looks like this:
<set-backend-service sf-service-instance-name="fabric:/PaymentsPlatform/PaymentsPlatform.AccountInformationService" backend-id="accountinformationservice" />
and I added it through the REST API with:
{
"title": "Our SF Service",
"description": "Our SF Service",
"url": "fabric:/ServicePlatform/ServicePlatform.OurService",
"protocol": "http",
"resourceId": "https://cluster.serviceplatform.com:19080",
"skipCertificateChainValidation": true,
"properties": {
"serviceFabricCluster": {
"managementEndpoints": ["https://cluster.serviceplatform.com:19080"],
"clientCertificateThumbprint": "Client cert thumb",
"serverCertificateThumbprints": "server cert thumb"
"maxPartitionResolutionRetries" : 5
}
}
}
APIM resolves the Service Fabric service ok, but we get an IP-address back:
service-fabric-backend (0.716 ms)
{
"message": "Request is being forwarded to the backend service.",
"request": {
"method": "GET",
"url": "https://10.0.0.5:20013/serviceplatform/ourservice",
...
And now when APIM is calling the service with the IP-address its get rejected because the SF has the server certificate installed so it will not allow this IP-address call. So how can we set up APIM to call with the correct url that is set up with SF and not the IP-address?
Thanks!
All replies (12)
Thursday, September 28, 2017 6:03 AM
I would suggest you to refer this article: /en-us/azure/service-fabric/service-fabric-api-management-quick-start#configure-a-backend-policy which has explained about deploy API Management and service fabric on Azure and can check whether you have followed the same process or not.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Thursday, September 28, 2017 1:29 PM
Yes, that's the one I followed. Buts its a more simple and general example. It's not using certificates and https etc, which is the problem. Now we get the call working but its using https to call a resolved SF endpoint which is an IP-address so the server certificate in the SF cluster will reject it.
Jonas
Saturday, September 30, 2017 2:43 AM
I would suggest you to setup the Service Fabric Backend with SkipCertificateChainValidation in API Management: /en-us/azure/api-management/api-management-faq#can-i-use-a-self-signed-ssl-certificate-for-a-back-end.
Then we would not validate the Certificate and it will work.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Saturday, September 30, 2017 2:08 PM
Unfortunately not working, it's what I tried already (if you see my backend config above "skipCertificateChainValidation": true is included). Note that the certificate is not self-signed. It's a real trusted registered certificate.
Here is the complete trace from APIM: It resolves the backend IP-address and does the call correct:
service-fabric-backend (0.082 ms)
{
"message": "Resolving partition",
"resourceId": "https://cluster.serviceplatform.com:19080",
"managementEndpoint": [
"https://cluster.serviceplatform.com:19080"
],
"serviceName": {},
"partitionKey": {
"kind": "Singleton"
}
}
service-fabric-backend (0.033 ms)
{
"message": "Partition successfully resolved",
"serviceName": {},
"partitionId": {},
"partitionVersion": "%7B%22PartitionId%22:%22be716b27-7f05-46d8-bed2-9a344b023bf4%22,%22FMVersion%22:%22631%22,%22StoreVersion%22:%221081%22,%22GenerationNumber%22:%7B%22Generation%22:%22131509762322974120%22,%22NodeId%22:%7B%22Id%22:%22f82f8b56bdae0040ff4874e22afecbf0%22%7D%7D%7D",
"endpointsCount": 5
}
service-fabric-backend (0.055 ms)
{
"message": "Trying instance",
"url": "https://10.0.0.8:20089",
"type": "Stateless"
}
service-fabric-backend (0.545 ms)
{
"message": "Request is being forwarded to the backend service.",
"request": {
"method": "GET",
"url": "https://10.0.0.8:20089/serviceplatform/ourservice",
"headers": [
{
"name": "Origin",
"value": "https://apimanagement.hosting.portal.azure.net"
},
{
"name": "Ocp-Apim-Subscription-Key",
"value": "be9866c9892540689af9eb12ebc41cce"
},
{
"name": "Cache-Control",
"value": "no-cache"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip,deflate,br"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.8,sv-SE;q=0.5,sv;q=0.3"
},
{
"name": "Authorization",
"value": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJleHAiOjE1MDY3ODA1MDIsIm5iZiI6MTUwNjc4MDIwMiwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzMyYmIyODZmLTFiZWQtNDhkZi04Y2U0LTk3N2I0N2I5M2QyZC92Mi4wLyIsInN1YiI6ImJkZGMyNDQwLTI2NDMtNDU4Yy1hODBhLTYwOWZmZTM5NDU4NSIsImF1ZCI6ImJmNzk5NzY0LTc5MGMtNGEzYS1hOWY3LWNlYzhiNGYwMWY5NyIsIm5vbmNlIjoiM2YyNGNjZWUtNzkyZi00MDY4LWJmMWYtMjE1YmZhMjg3ZThiIiwiaWF0IjoxNTA2NzgwMjAyLCJhdXRoX3RpbWUiOjE1MDY3ODAyMDIsImZhbWlseV9uYW1lIjoiSmFuZXQiLCJnaXZlbl9uYW1lIjoiRG9lIiwiY291bnRyeSI6IlN3ZWRlbiIsImV4dGVuc2lvbl9TU04iOiIxOTkwMDEwMS0xMTIyIiwidGZwIjoiQjJDXzFfc2lnbl9pbiJ9.Kwd5NkJZWyrSzQAvODAjdh0ixrYrEKCqLVva8oFzBDPghjFIWVL6-i7gnfYANwxEZ5Qb8hYbRx8_LnPVbHTfhkpLa9zlHpUeyoqaeVaVpVNTF1hS7auA72xPK07ciLM8lBtK5eUie6RcARS4yCxOjikH0AbaXLN4PI4_sSj5QaE7EXFTcUfa4O6Yz9NOULK0QXN-ozwhTKCjHQyhOsQiOQ6DLWC0MvR7_mPL06PSYvfThdNyYtlksai3cEt_cTQ7R3RRyVEwErSzyeye1zkDuifutA7AaTvj6MlILa0zTzaysR6JtHWjulcCyJiYjn91dHY-oRDDWbyJpJ1HrWn08w"
},
{
"name": "Referer",
"value": "https://apimanagement.hosting.portal.azure.net/apimanagement/Content/1.0.220.1/apimap/index.html?locale=en&trustedAuthority=https://portal.azure.com"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063"
},
{
"name": "X-Forwarded-For",
"value": "155.4.134.19"
}
]
}
}
service-fabric-backend (27.469 ms)
{
"messages": [
"Error occured while calling backend service.",
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
"The remote certificate is invalid according to the validation procedure."
]
}
service-fabric-backend (0.462 ms)
{
"message": "Leaving retry section. Retry condition was not met."
}
service-fabric-backend (0.022 ms)
{
"message": "Leaving retry section. Retry condition was not met."
}
Tuesday, October 3, 2017 4:59 PM
I would suggest you to set "skipCertificateChainValidation": false and try it again.
This needs to be done on the BackendEntity.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Wednesday, October 4, 2017 7:25 AM
We tried that, its no difference, same error. But note it's a trusted certificate as we are planning for production so we need a production recommended solution to this or is it so that APIM and SF is not a production ready state yet? Just let us know so we know how to move forward.
Thanks, Jonas
Wednesday, October 4, 2017 4:36 PM
I would suggest you to create Technical Support Ticket as our engineers need to work with you on the issue and would require more details on the issue to find the root cause of the issue.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Friday, January 19, 2018 9:26 AM
Any news on this issue? We are experiencing the same error with using an api management and a backend service that uses an untrusted cert
Saturday, January 20, 2018 11:30 AM
Any news on this issue? We are experiencing the same error with using an api management and a backend service that uses an untrusted cert
Could you try the suggestions mentioned in the above posts and see if it helps?
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Monday, January 22, 2018 10:10 AM
We haven't found a solution yet. Although we have problem with trusted certificates, so maybe the suggestions above will work for your untrusted certs.
Jonas
Thursday, September 26, 2019 3:01 PM
Hello Jonas,
We're having a similar issue while posting a request to our On prem service from API Manager. Ours is a trusted cert too. Could you please help us with this.
forward-request (742 ms)
{
"messages": [
"Error occured while calling backend service.",
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
"The remote certificate is invalid according to the validation procedure."
]
}
Tuesday, October 1, 2019 3:54 PM
Have you imported the certificate in the apim and using the thumbprint to attach the certificate before the backend call?
Pi_xel_xar
Blog: My Blog
BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/