Accessing private website with self-sign certificate in standard logic app in azure (hosted in WS1 ASP)
I want to access our internal on-premises website, which uses a private certificate generated by our internal authority. I created a private endpoint in the logic app and added virtual network integration. In Kudu I can access the site with the correct port. I can access the site with a virtual machine in the same virtual network after installing the internal certificate authority in the trusted root certificate store.
According to the Microsoft documentation, (here) I have to upload the root CA in the public key certificates of the logic app and set WEBSITE_LOAD_ROOT_CERTIFICATES to the thumbprint of the certificate. I have also set WEBSITE_LOAD_USER_PROFILE to 1.
I still have the error "Could not establish trust relationship for the SSL/TLS secure channel" in the logic app http action.
Have you already faced this case? Microsoft support is not helpful.
In simple terms, if you're using the regular App Service plans (Free, Basic, Standard, or Premium), you can't change the list of Trusted Root Certificates. However, if you're in an App Service Environment (ASE), which is a single-tenant setup, you have the ability to load your own CA certificate into the Trusted Root Store. Just remember, Isolated Plans are the single tenant option, while the others are multi-tenant.
When your app on Azure App Service attempts to connect to a remote endpoint using SSL, it's crucial that the certificate on that remote service is issued by a Trusted Root Certificate Authority (CA).
If the certificate on the remote service is self-signed or issued by a private CA, your app instance won't trust it. In such cases, the SSL handshake will fail, and you'll encounter an error message like "Could not establish trust relationship for the SSL/TLS secure channel."
So, in this case, there are two solutions:
1.Use a certificate that is issued by one of the Trusted Root Certificate Authorities in App Service on the remote server.
2.If the remote service endpoint certificate could not be changed or there is a need to use a private CA certificate, host your app on an App Service Environment (ASE) and load your own CA certificate in the Trusted Root Store
The only way you can load your own CA certificate in the Trusted Root Store is in an App Service Environment (ASE) which is a single-tenant in App Service.
A common use case is to configure your app as a client in a client-server model. If you secure your server with a private CA certificate, you will need to upload the client certificate to your app
To upload the certificate to your app in your ASE:
Generate a .cer file for your certificate.
Go to the app that needs the certificate in the Azure portal
Go to SSL settings in the app. Click Upload Certificate. Select Public. Select Local Machine. Provide a name. Browse and select your .cer file. Select upload.
Copy the thumbprint.
Go to Application Settings. Create an App Setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like
The certificate will be available by all the apps in the same app service plan as the app, which configured that setting. If you need it to be available for apps in a different App Service plan, you will need to repeat the App Setting operation in an app in that App Service plan.
There's also a feedback in Microsoft Community to "Support for private intermediate CA", you may want to upvote
Sources:
- https://azure.github.io/AppService/2021/06/22/Root-CA-on-App-Service-Guide.html
- https://learn.microsoft.com/en-us/azure/app-service/environment/certificates#private-client-certificate
- https://learn.microsoft.com/en-us/answers/questions/805854/how-do-i-use-azure-app-services-with-a-custom-self
- https://feedback.azure.com/d365community/idea/f74472d7-c925-ec11-b6e6-000d3a4f0f1c
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules