Hi, To implement mTLS client authentication in azure app service node.js app, I did the following task: Created a certificate using Azure "App Service Certificate" & exported as p12 Configured custom domain for the node.js app Configured certificate to custom domain Created mTLS client authentication certificate (using openssl) from exported certificate (p12) In azure app service, Client certificate mode is set to required In azure app service, set environment variables “WEBSITE_LOAD_CERTIFICATES” and “WEBSITE_LOAD_ROOT_CERTIFICATES” to value certificate thumbprint Implemented mTLS client authentication certificate in node.js and other relevant codes Still, getting error “You don't have authorisation to view this page. HTTP ERROR 403” Is there something, am I missing out? Regards, Vishnu Rana

Hi , Please Verify Certificate Thumbprint : Double-check that the thumbprint you've configured in the WEBSITE_LOAD_CERTIFICATES and WEBSITE_LOAD_ROOT_CERTIFICATES environment variables matches the thumbprint of the certificate you've uploaded to Azure App Service. Even a small typo in the thumbprint can cause authentication failures. Kindly check and let us know

Implementing mTLS authentication in azure app service node.js app.

Vishnu Rana 0

Hi,

To implement mTLS client authentication in azure app service node.js app, I did the following task:

Created a certificate using Azure "App Service Certificate" & exported as p12
Configured custom domain for the node.js app
Configured certificate to custom domain
Created mTLS client authentication certificate (using openssl) from exported certificate (p12)
In azure app service, Client certificate mode is set to required
In azure app service, set environment variables “WEBSITE_LOAD_CERTIFICATES” and “WEBSITE_LOAD_ROOT_CERTIFICATES” to value certificate thumbprint
Implemented mTLS client authentication certificate in node.js and other relevant codes

Still, getting error “You don't have authorisation to view this page. HTTP ERROR 403”

Is there something, am I missing out?

Regards,

Vishnu Rana

VenkateshDodda-MSFT 18,281 Reputation points Microsoft Employee

2024-03-26T11:15:31.4133333+00:00

@Vishnu Rana Thank you for posting your question in Microsoft Q&A, apologize for any inconvenience caused on this.

Based on the share information, I understand that you want to create mutual TLS authentication in azure app service.

Have you gone this documentation, configure TLS mutual authentication for Azure App service which has the sample code for Node.js as well.

Hope this helps, let me if you have any further questions on this.

Vishnu Rana 0

Hi,

yes, i have gone through this document. Here, "X-ARR-ClientCert" header is being used.

As per some docs saying, this header work in conjuction with Azure Gateway Load balancer.

May be my understanding is wrong, but this example is not working.

Here are the code, i am using:

const fs = require('fs');
const https = require('https');
const express = require('express');
const app = express();

// File paths for certificate
const certificatePath = 'mtls_cert/combined.pem';

// Load your combined PEM certificate
const options = {
    key: fs.readFileSync(certificatePath),
    cert: fs.readFileSync(certificatePath)
};

// Create an HTTPS server
const server = https.createServer(options, app);

// Middleware to verify client certificate
app.use((req, res, next) => {
    if (!req.client.authorized) {
        return res.status(401).send('ERROR: Client certificate required.');
    }
    console.log('Client certificate CN:', req.client.getPeerCertificate().subject.CN);
    next();
});

// Your routes and application logic
app.get('/', (req, res) => {
    res.send('My Hello World!');
});

// Start the server
 const PORT = process.env.PORT || 3003;
 server.listen(PORT, () => {
     console.log(`My Node.js Server is running on port ${PORT}`);
});

Thanks

VenkateshDodda-MSFT 18,281 Reputation points Microsoft Employee

2024-03-28T11:42:10.1566667+00:00

@Vishnu Rana I have reached out to you over private message could you please check and help us with requested details to check further.

1 answer

Deepanshu katara 4,825 Reputation points

2024-03-23T17:42:05.97+00:00

Hi ,

Please Verify Certificate Thumbprint: Double-check that the thumbprint you've configured in the WEBSITE_LOAD_CERTIFICATES and WEBSITE_LOAD_ROOT_CERTIFICATES environment variables matches the thumbprint of the certificate you've uploaded to Azure App Service. Even a small typo in the thumbprint can cause authentication failures.

Kindly check and let us know
Please sign in to rate this answer.
Vishnu Rana 0 Reputation points

2024-03-25T22:21:59.21+00:00

Hi,

I checked both the environment variables for Thumbprint and it matches with certificates.

As mentioned:

Created a certificate using Azure "App Service Certificate" & exported as p12

Created mTLS client authentication certificate (using openssl) from exported certificate (p12)

But, only p12 certificate (SSL) is configured for custom domain and it shows in certificate section. I haven't uploaded any client certificate (.pem) to the certificate section.

Both certificate p12 & pem (which derived from p12) have same thumbprint, so, can not upload it (throws error for same thumbprint).

Now, In node.js, using following code snippet:

const fs = require('fs'); const https = require('https'); const express = require('express'); const app = express(); // File paths for certificate const certificatePath = 'mtls_cert/combined.pem'; // Load your combined PEM certificate const options = { key: fs.readFileSync(certificatePath), cert: fs.readFileSync(certificatePath) }; // Create an HTTPS server const server = https.createServer(options, app); // Middleware to verify client certificate app.use((req, res, next) => { if (!req.client.authorized) { return res.status(401).send('ERROR: Client certificate required.'); } console.log('Client certificate CN:', req.client.getPeerCertificate().subject.CN); next(); }); // Your routes and application logic app.get('/', (req, res) => { res.send('My Hello World!'); }); // Start the server const PORT = process.env.PORT || 3003; server.listen(PORT, () => { console.log(`My Node.js Server is running on port ${PORT}`); }); Thanks
Sign in to comment