question

NileshLonkar-9197 avatar image
0 Votes"
NileshLonkar-9197 asked GitaraniSharmaMSFT-4262 commented

Problems with enabling HTTPS for Azure CDN

I have created a static website (Angular) using Azure blob storage.
I have uploaded the GoDaddy certificate (PFX file) in Azure KeyVault.
Created a CDN end point and mapped that to the static website.
Now.. when I try to enable the HTTPS for the Blob Static website using Azure CDN, it gives me following error.

I am not sure what is needed... please can someone help?

Below is the error I am getting -

ErrorCode: IncompleteCertificateChain, Id: b705e41e-6978-4a3c-bc5r-f31tf344518, ErrorDetails: Leaf certificate detected. A full certificate chain needs to be presented for HTTPS requests to work properly

azure-cdn
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @NileshLonkar-9197 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Azure Front Door and Azure CDN from Microsoft made a recent update in July to enforce custom domains to require a full certificate chain. For the cases, where the certificates are managed by Microsoft, the certificates always included the full chain, now the change enforces the same checks for bring your own certificates scenario for consistency and in readiness for the upcoming platform improvements. Please see below documentation for more details.

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#option-2-use-your-own-certificate

You will need to change your certificate to present the full complete chain, with root > intermediate > leaf. This needs to include the private key as well. Additionally, the root CA must be part of the Microsoft Trusted CA List.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" below if the information helped you. This will help us and others in the community as well.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks... this helped for sure...Although, I could manage to resolve this issue... but there are procedural problems.. like, many CA providers dont provide the PFX file. They only provide PEM file and I had to convert the PEM file to PFX file.. which caused a major pain for me. In Azure portal, when uploaded the PEM file, it gave me error that, it only supports PFX file... Are you going to support PEM files for CDN in future?

0 Votes 0 ·

Hello @NileshLonkar-9197 ,

Thank you for the update. Glad to hear that your issue was resolved.

Azure Key Vault supports both PEM and PFX certificate formats. However, Azure CDN only supports PFX.
But looks like Azure CDN China supports both PEM and PFX certificate formats.

Let me check with the PG team & confirm if the same will be added to Global Azure CDN in the future.

Thanks,
Gita

0 Votes 0 ·

Hello @NileshLonkar-9197 ,

Below is the update from Azure CDN PG:

PEM certificate format support for CDN is a roadmap item most likely with AFD Standard/Premium SKU. Azure Front Door Premium will combine AFD, CDN, and WAF into one offering. But we do not have any timelines for it's GA yet.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,
Gita

0 Votes 0 ·