question

Aztech-2268 avatar image
0 Votes"
Aztech-2268 asked ·

AppGateway V2 Certificate issue

Hello,

I've deployed an application gateway in my subscription, all is working fine and I've several services published to internet and linked with the backend. Right now I've a problem, I've a listener over https and the communication with the backend also have to be made over https, then I have to include a certificate inside "http settings" I was trying to add the same certificate that I had uploaded to the listener but checking documentation, it seems that I have to upload the root certificate and I've followed this guide:

https://docs.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication

But when I try to save the configuration, I get an error message similar to: This certificate is not a trusted root certificate............ What Is the problem? Have I to add this certificate to some trusted certificate store in Azure?

Thank you very much.

azure-application-gateway
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
1 Vote"
GitaraniSharmaMSFT-4262 answered ·

Hello @Aztech-2268 ,


To fix this, bundle the PFX to include the leaf, intermediate, and root cert (in that order) and put on the backend target.


From:
https://docs.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication#export-trusted-root-certificate-for-v2-sku
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#trusted-root-certificate-mismatch


For Application gateway V2, a trusted root certificate is required to allow backend instances. The root certificate is a Base-64 encoded X.509(.CER) format root certificate from the backend server certificates. You can export the public key from the TLS/SSL certificate for the backend certificate and then export the root certificate of the trusted CA from the public key in base64 encoded format to get the trusted root certificate. The intermediate certificate(s) should be bundled with server certificate and installed on the backend server.


If the back-end certificate is issued by a well-known certificate authority (CA), you can select the Use Well Known CA Certificate check box, and then you don't have to upload a certificate.


Not having the intermediate bundled in the PFX, can stop the "well known CA" from working correctly.


Try checking the intermediate certs on the backend cert. Here is an online tool for checking SSL certificates.
Incorrectly Bundled Cert would show something like the one below:
13388-incorrectly-bundled-cert.jpg


A Properly Bundled Cert would show something like the one below:
13419-correctly-bundled-cert.jpg



The order should be leaf, intermediate, root.
The rebundled PFX can be put on the appgw listener (renew/replace the one that is there) and then put on the backend as well.



How to rebundle the PFX manually to ensure it's in the right order:


First create a private.key like so from the PFX
openssl pkcs12 -in Certificate.pfx -nocerts -out private.key


Then create a CER Bundle of the entire chain ensuring that they are bundled in the correct order:
Creating a .pem with the Private Key and Entire Trust Chain
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm


Then recreate the PFX from the bundled CER and private key from step 1
Create a PFX from the PEM like so:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/


Hope this helps!


Kindly let us know if the above helps or you need further assistance on this issue.




Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.




· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Aztech-2268 ,

Any update on this post?

If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.


Thanks,
Gita

0 Votes 0 ·

Hello @Aztech-2268 ,


Any update on this post?


If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.



Thanks,
Gita


0 Votes 0 ·

This solution was spot on and solved my issue thank you

0 Votes 0 ·

I know it's an old post but just wanted to follow up since I've had the same issue.

If I follow the guide you refer to here:
Then create a CER Bundle of the entire chain ensuring that they are bundled in the correct order:
Creating a .pem with the Private Key and Entire Trust Chain
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

...then I get an error that says "Chain issues: Contains anchor" when checking the cert on https://www.ssllabs.com/

The solution to that seems to be to NOT include the root cert. When I removed the root cert I got rid of the issue.

0 Votes 0 ·
ManishJ avatar image
0 Votes"
ManishJ answered ·

Are you trying to do an end to end SSL or would you prefer to do the SSL termination at the Application gateway ?


Are you trying to update the HTTP setting on the app Gateway and set it as HTTPS as shown in the attached image, if yes then could you please check and confirm if you are adding the correct root cert CA

For a TLS/SSL certificate to be trusted, that certificate of the backend server must be issued by a CA that's included in the trusted store of Application Gateway. If the certificate wasn't issued by a trusted CA (for example, if a self-signed certificate was used), users should upload the issuer's certificate to Application Gateway.13418-4.png



4.png (26.9 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Aztech-2268 avatar image
0 Votes"
Aztech-2268 answered ·

Thank you very much to both, I've just solved my issue.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear and happy to help.

0 Votes 0 ·