I'm exposing an endpoint (only port 8080) via Azure Container app. One of the first steps I'm need to do first is validate the http request client certificate.
I have the following code which locally works:
// Attempt to get the certificate from the connection
var clientCertificate = httpContext.Connection?.ClientCertificate;
if (clientCertificate != null)
return clientCertificate;
// Check if the X-ARR-ClientCert header is present
if (httpContext.Request.Headers.TryGetValue("X-ARR-ClientCert", out var certHeader) && !string.IsNullOrWhiteSpace(certHeader))
{
try
{
byte[] certBytes = Convert.FromBase64String(certHeader!);
clientCertificate = new X509Certificate2(certBytes);
return clientCertificate;
}
catch (Exception ex)
{
logger.LogError(ex, "Unable to parse certificate from header 'X-ARR-ClientCert'.");
}
}
When running locally httpContext.Connection?.ClientCertificate is enough. On an App service httpContext.Request.Headers.TryGetValue("X-ARR-ClientCert", out var certHeader) is enough.
I have followed this and set the value to "accept".
My ACA is in side a vnet and at first i thought maybe a gateway or something was dropping the certificate but when i try the direct endpoint (from inside the vnet) I have the exact same issue.
Any ideas? Am I missing some configuration?
It seems I missed some documentation from MSFT regarding header. Is also seems I was not setting up properly postman while sending certificates.
According to documentation the header where I can see the certificate is 'X-Forwarded-Client-Cert'. I'm also adding here another link regarding the details of this header for future reference.
I do have now an issue with the certificate chain which seems to be different vs the one in the file, but this is outside of the original question.