question

VincentNikkelenMKB-2411 avatar image
0 Votes"
VincentNikkelenMKB-2411 asked VincentNikkelenMKB-2411 commented

Azure invalid Cisco certificate issuer: not before overlap

Our App Service (let's say APP. azurewebsites.net) is running on an P1V2 plan, .NET 3.1 and Windows in EUWE.

Since Wednesday 2021-03-17, 12:33 UTC we see one of our functions (lets say FUNC. azurewebsites.net) in the same VNet and plan emitting the following exception:

The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure.

Accessing APP from the public internet results in a valid certificate issued by Microsoft and valid till Sept 2021.

Accessing APP from our VNet results in the error (e.g. with Firefox)

Firefox does not trust APP. azurewebsites.net because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates. Error code: SEC_ERROR_UNKNOWN_ISSUER

On closer inspection, we see this is a different certificate:
Validity not before: Wed, 17 Mar 2021 11:00:13 GMT
Not after: Mon, 22 Mar 2021 11:00:13 GMT
Issuer: Cisco Umbrella Secondary SubCA ams-SG

Investigating the SubCA we see the following:
Validity not before: Wed, 17 Mar 2021 18:40:31 GMT
Not after: Sun, 28 Mar 2021 18:40:31 GMT

In other words, our problem started 12:33 GMT, probably because the new certificate was used (11:00 GMT) but signed with a sub certificate that isn't valid until 6 hours later !!!

How can we resolve this issue? We have seen something like this before in our development environment but didn't do any deeper investigation at that time. The problem was solved by itself (hinting at the same certificate issue).

More details on our subscription and the real applications are hidden for security reasons.

Thank you in advance.

Best regards,
Vincent

azure-webapps-ssl-certificates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

brtrach-MSFT avatar image
0 Votes"
brtrach-MSFT answered VincentNikkelenMKB-2411 commented

Hi Vincent,

This Cisco Umbrella certificate is not coming from Azure.

Most likely your client machine is in a network protected by Cisco Umbrella product. We suggest reaching out to Cisco for further support.

Another option to resolve this issue is to bind a custom domain and add a SSL certificate (Free or App Service or any other certificate) so that you do not use .azurewebsites.net URL.

Please note the last time we saw something like this, there was a Cisco Umbrella product on the companies corporate network and it was blocking .azurewebsites.net, and thus producing it's own cert for the site.

Please review your network further to see what might be interfering. If you have exhausted all options and believe there to be an issue with Azure, please reply back and tag me in your response so I receive an email. We can take it further from there.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

thank you for the support. I'll investigate further internally.

We were using a custom domain name with a CNAME reference and that didn't help at all. Only after we removed the custom domain we realized it wasn't our own certificate domain certificate that was causing the problems.

Again, than you very much. Been very helpful.

Vincent

0 Votes 0 ·