question

AdamRiddick-5896 avatar image
0 Votes"
AdamRiddick-5896 asked ajkuma-MSFT commented

Azure App Service Root CA clarification

Hi,

We're experience an issue with an app hosting in Azure App Service (S1) with our SSO login (OAuth2/OIDC), whereby the remote certificate is not trusted.

When attempting to reach the well-known configuration endpoint of the authorization server, we get the error "The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure".

The remote certificate is issued by "Go Daddy Secure Certificate Authority - G2", which is the same issuer as the certificate used by our app running in Azure App Services and purchased through Azure.

Checking the root CA's list for app services, I can see that "Go Daddy Secure Certificate Authority - G2" is not present.

As we're not running on an isolated plan, we can't add custom certificates - though this isn't desirable anyway.

The list of trusted root CA's appears to be a vastly trimmed down version of the Microsoft Trusted Root Certificate Program, which doe sinclude GoDaddy Root Certificate Authority - G2.

Why do these lists differ, and is there anything can we do to resolve this, or better yet, to get those lists in sync?

azure-webapps-ssl-certificates
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ajkuma-MSFT commented

AdamRiddick-5896, Thanks for posting this good question.

I'm not sure if you have checked this doc Root CA on App Service already.

Just to highlight, App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service (as in your case), but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service.

--(The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single-tenant.)

Yes, as you mentioned, when an app hosted on Azure App Service, tries to connect to a remote endpoint over SSL, it is important that the certificate on remote endpoint service is issued by a Trusted Root CA.

So, in this case - There are two solutions (as mentioned in the doc'):


1.Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.

2.If the remote service endpoint certificate could not be changed, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store

Kindly let us know, I'll follow-up with you further. Thanks for your patience!

· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AdamRiddick-5896 avatar image AdamRiddick-5896 ·

Thanks for coming back to me.

I am aware of the documentation, which is where I got the instructions for finding the list of trusted root CAs.

Can you tell me why the lists differ?

Microsoft recognise GoDaddy as a trusted root CA, but not for App Services, why is this?

0 Votes 0 ·
ajkuma-MSFT avatar image ajkuma-MSFT AdamRiddick-5896 ·

Thanks for the follow-up. I have performed similar test (Linux and Windows App), and validations on my lab subscriptions and find similar lists. I'm checking on this further internally.

Trusted Root CA on App Service -test app Linux and Windows


0 Votes 0 ·
image.png (275.8 KiB)
ajkuma-MSFT avatar image ajkuma-MSFT AdamRiddick-5896 ·

AdamRiddick-5896, Apologies for the delay from over the weekend || Following-up from my previous post:

Typically, on Azure Web apps will have the same list used by Windows.

Root CAs are not pre-installed though, so Windows will download the root CA when it makes a call to a remote endpoint using it and this will trigger the download and installation.

Checkout this old article, but the same applies:

--The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.


0 Votes 0 ·
AdamRiddick-5896 avatar image AdamRiddick-5896 ajkuma-MSFT ·

Working with MS Support we managed to identify what we believe to be the root cause of this issue - the Azure App Service was unable to bring in the certificate details from the third-party provider.

We have a NSG in place which is blocking all outbound HTTP traffic, but the app service is attempting to communicate with go daddy's OCSP and CRL endpoints over HTTP.

Unfortunately its not possible to configure an NSG to allow only for OCSP or CRL, so we will have to either allow all outbound HTTP, or add exceptions to individual providers as we require them - neither is desirable.

0 Votes 0 ·
Show more comments