Downloading the pfx file, and uploading it to an Application Load Balancer prompts "Certificate revoked" on my website.

Question

question

ChrisAdam-3413 asked Mar 10, '22 GitaraniSharmaMSFT-4262 commented Apr 19, '22

Downloading the pfx file, and uploading it to an Application Load Balancer prompts "Certificate revoked" on my website.

Hello,

I have an app service with an API and a storage account for static files. They are both behind an application load balancer. I have an app service certificate and a DNS zone that I use to enable SSL connection on the gateway. In order to do that, I download the pfx certificate from key vault and upload it to the gateway. However, my browser gives me an error NET::ERR_CERT_REVOKED

 NET::ERR_CERT_REVOKED
 Subject: <my-host>
    
 Issuer: Go Daddy Secure Certificate Authority - G2
    
 Expires on: 5 Jan 2023
    
 Current date: 10 Mar 2022
    
 PEM encoded chain:
 -----BEGIN CERTIFICATE-----
 [...]
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 [...]
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 [...]
 -----END CERTIFICATE-----
    
 Certificate Transparency:
    
 SCT Google 'Argon2023' log (Embedded in certificate, Verified)
    
 SCT DigiCert Yeti2023 Log (Embedded in certificate, Verified)
    
 SCT Cloudflare 'Nimbus2023' Log (Embedded in certificate, Verified)

Thank you

azure-application-gateway azure-webapps-ssl-certificates

screenshot-2022-03-10-at-104651.jpg (183.4 KiB)

· 10

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 · Mar 11 at 04:57 PM

Hello @ChrisAdam-3413 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I've seen cases where a rekey of App service certificate causes "ERR_CERT_REVOKED" error. Was a rekey performed on the App service certificate? If yes, was it synced before downloading the certficate?
NOTE : The exported certificate is an unmanaged artifact. For example, it isn't synced when the App Service Certificate is renewed. You must export the renewed certificate and install it where you need it.
Refer : https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#rekey-certificate

Also, rather than manually downloading and adding the certificate to App gateway, did you consider integrating Key Vault with Application gateway?

After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists.
Refer : https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

Regards,
Gita

0 ·

ChrisAdam-3413 GitaraniSharmaMSFT-4262 · Mar 14 at 08:42 AM

Hello @GitaraniSharmaMSFT-4262 ,

I did perform a rekey. I cannot sync the certificate because the button is greyed. I downloaded it anyway after the rekey but it didn't change a thing.

I cannot integrate the certificate directly on the gateway because it's stored as a secret and not a certificate in Key Vault.

Best regards,

Chris

0 ·

GitaraniSharmaMSFT-4262 ChrisAdam-3413 · Mar 14 at 11:34 AM

Hello @ChrisAdam-3413 ,

Thank you for the update.

Could you please check if the thumbprint on the App Service certificate matches the thumbprint of the certificate in use when you visit the application via browser?

Also, for your reference, you may be required to reverify domain ownership while rekeying your certificate.
Refer : https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#verify-domain-ownership
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#rekey-certificate

Regarding Application gateway integration with Key Vault, it is true that the Azure portal supports only Key Vault certificates, not secrets. However, Application Gateway still supports referencing secrets from Key Vault through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
Refer : https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs#supported-certificates

Regards,
Gita

0 ·

Show more comments

GitaraniSharmaMSFT-4262 · Mar 14 at 07:27 AM

Hello @ChrisAdam-3413 ,

Could you please provide an update on this post for further discussion?

Regards,
Gita

0 ·

Answer 1 · 2022-04-06T09:50:52.127Z

ChrisAdam-3413 answered Apr 6, '22 GitaraniSharmaMSFT-4262 commented Apr 19, '22

Hello @GitaraniSharmaMSFT-4262 ,

Sorry for the late response. I checked your resources but unfortunately, it didn't really help.

Indeed, I've been contacted by the application gateway expert. However, it seems the problem is more closely related to Key Vault.

Here is the summary of the investigation:

What I'm trying to do:
- Create an app service certificate
- Download the certificate as a pfx file (and set a password on it)
- Upload it to an application gateway

The problem
- The certificate has been rekey'd
- The certificate in key vault has not been updated. Therefore, the pdf file is now outdated and the certificate flagged as revoked.
- In other words, the fingerprint of the certificate doesn't match the fingerprint of the downloaded pfx file, even if I download it again.

What might have happened
- The whole infrastructure has been deployed using ARM templates
- The certificate has been created and rekey'd using the portal
- The infrastructure has been re-deployed several times using templates (but nothing deleted), including the key vault that stores the certificate.

Is it possible that redeploying the key vault, even if it has not been deleted, could have cut the link between the app service certificate and the key vault ? That would explain why it's not being updated.

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 · Apr 08 at 01:06 PM

Hello @ChrisAdam-3413 ,

Thank you for the update.

It could be possible but we would need the Key Vault team to check the backend logs and confirm the root cause.
I would request you to ask the support team to engage the Key Vault team for further investigation on this issue.

Regards,
Gita

0 ·

GitaraniSharmaMSFT-4262 · Apr 19 at 12:40 PM

Hello @ChrisAdam-3413 ,

I'm following up on this post to check if you have any further updates on the issue. I tracked your support case and can see that you were provided with a PowerShell script to export the certificate again and upload it to Application Gateway but you received an error.

I have added your initial root cause summary to the answer section for visibility to others in the community facing similar issues and would request you to add the final solution when the support team provides one. Thank you for your patience and understanding.

Regards,
Gita

0 ·

ChrisAdam-3413 · Apr 19 at 01:15 PM

Hello @GitaraniSharmaMSFT-4262 ,

Yes, I've tried the PowerShell script but ran into issues. I've sent the modified script (with my resources ID) and the resulting logs. I'm waiting to debug the script.

Chris

0 ·

GitaraniSharmaMSFT-4262 ChrisAdam-3413 · Apr 19 at 01:21 PM

Thank you for the update, @ChrisAdam-3413.

0 ·

question