Azure Certificate Validation Failed By Token Handler - api

I have two client certificates that I have installed for my API project in the Azure portal. I have set the config option to enable them and can verify that they can both be found in the CurrentUser 'My' store. My problem is now that one of them is failing validation. On my local machine I have this cert installed in the Trusted People store of LocalMachine. Is there anything I can with Azure to make this work?
Is the location of the cert the issue or is it possibly something with the certificate itself?
**Note that this is an app service, not a cloud service

There are few things you can check, In Azure check in the app settings whether you have added your certificate. Its in the SSL section of you Azure app.
Another workaround would be where you are configuring your Token Authentication, you could set this settings.
For e.g. In my case, I was getting X509 Certificate error.
I added this code in my project.
System.IdentityModel.Configuration.IdentityConfiguration config = new System.IdentityModel.Configuration.IdentityConfiguration();
config.CertificateValidator = X509CertificateValidator.None;
config.CertificateValidationMode = X509CertificateValidationMode.None;
Basically turn off your validation. Most of the times, what happens is your local machine as all the certificates installed by an IT Operation person, but Those certificates are not on Azure.
You can check here for some reference as well. Microsoft Certificate Reference

Related

How to trust an internal Root CA in Azure App Service

I have an Azure Function calling an HTTPS endpoint using an SSL certificate that was provided by an internal Root CA.
Without doing anything, I have an SSL negotiation error which is normal.
I added the ROOT CA cert in the SSL Settings of my Function App, and I also added the setting WEBSITE_LOAD_ROOT_CERTIFICATES in the Function App Settings.
By using the Kudu Console, I tried to curl my HTTPS endpoint, and I'm still having SSL troubles.
Am I missing something?
You can't use an internal authority signed certificate against an Azure Function that is in a multi-tenant environment. The only available approach is to use App Service Environment (ASE). Using ASE, will enable you to upload an issuing and root certificates that are signed by a private/internal authority and register them in the store to be able to be interrogated.
Try to follow the below steps to enable SSL.
Go to App service and then select TLS/SSL settings.
Click on Private Key Certificates and then click on Create App Service Managed Certificate. It opens a side window in that window click on create button.
After successfully created, go to custom domains and click on Add binding.
Under TLS/SSL binding, select custom domain name, private certificate thumbprint, and its type then click on Add Binding.
Once we finished the above steps then it will add to your domain.
As per the Microsoft Document, Add a TLS/SSL certificate in Azure App Service.

HTTPS communication in ServiceFabric Local Cluster

Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.

Local Cluster SSL Certificate invalid trust

My local development (5 node) cluster have two stateless services installed. One .Net Core Web Gui service and one .Net Core WebAPI service.
Both are configured to use a https endpoint.
The certificates are self signed certificates and are added to both trusted root and personal (in both current user and localmachine).
I can access both endpoints using a local browser without getting any certificate errors. It says the connection is secure and the certificates are trusted.
So far so good.
But when my Web API services calls my Web Gui service, is says it cannot create a trusted connection.
Why can my local browser create a trusted connection but not the Service running in the local cluster?
Does a Node in a local cluster have it's own Certificate Store?
So it turns out that I missed adding the certificates to the machine root and that's what caused the problem.
For local SSL to work, I needed to to add the self signed certificates to:
localmachine/my
localmachine/root
This lets services call services from within the local cluster.
currentuser/my
currentyser/root
This lets my browsers call my services without ssl errors.
Hope this helps someone else :)

Mismatched SSL certificate in Azure Compute Emulator

I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?

How to configure SharePoint to access the Certificate?

I'm using SharePoint 2010 and I'm configuring a web part using ChannelFactory and Certificate to access a WCF service.
But I'm getting this error message:
Error occured: Could not establish secure channel for SSL/TLS with authority 'my FQDN'.
How could I configure my SharePoint web application to have access to read this installed certificate?
(I'm sure the certificate is installed correctly on the server where sharepoint is installed and all the WCF configurations are correct)
Many thanks in advance,
Are you talking about a client certificate that SharePoint would use to authenticate itself when connecting out to some service? If that is the case, then you would need to install a certificate along with a private key. Otherwise, if you are just talking about a root certificate to validate some server certificate on a remote service, you do not need the private key.
Assuming that you mean a client certificate with private key (I don't know how SharePoint uses certificates), then you would have to install the certificate along with a private key, and then, make sure SharePoint has access to the private key.
It's not enough just to install with the private key -- you have to either install logged in as the Windows account that the code using the private key will be running under, or, if you install the certificate into the Local Machine "Personal" store, for example, you have to set an ACL on the certificate to give another Windows account access to the private key. To do that, you can use the WinHttpCertCfg tool. Cf. here for the general idea, and here to download the tool. Or from the MMC Certificate snap-in, select the certificate in the Local Machine, Personal store, right-click, select All Tasks, Manage Private Keys, and grant access from there.
Have you tried uploading it to the Manage trusts area?
http://centraladmin/_admin/ManageTrust.aspx
Rebooted the server?
Installed on all servers in the farm? Into the machine store (not service or personal)?