HTTPS endpoint trapshooting in Logic app standard

The article will go through all the possible scenarios when the logic app is giving TLS error as below.

In the below flow chart, each step has a number which is elaborated farther in the down section

1-You are getting the error " The SSL connection could not be established" in your logic app standard

2-You need to run the following OpenSSL command in your Kudo that will tell you if the endpoint will require client certificate

openssl s_client -showcerts -connect client.badssl.com:443>site.pem

More information on Mutual SSL Authentication Link

3- Use any text editor to open the Pem file after you downloaded it from Kudu

4 and 5 - If the File has the below line

If the Pem file has the Client certificate, then that means you should obtain the correct client certificate from your partner.

usually, the certificate is created by the client and signed by the server

5.1- you need to convert the PFX file that has the client certificate private key to base64

//Extracting the byte from the pfx file

$fileContentBytes = Get-Content 'C: \pfx.pfx' -Encoding Byte

//Converting to Base64String

[system.Convert]::ToBase64String($fileContentBytes) | Out-File 'C: \pfx-encoded-bytes.txt'

5.2- Inside the http action chose authentication type = client certificate and paste the base64 text for the PFX file

6- Export the site's public certificates using powershell

From Kudu powershell menu or any VM that can access the site write the below command that will loop through all the site certificate chains and download them into a files

[system.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

$webRequest = [Net.WebRequest]::Create("YOUR SSL Site")

$webRequest.GetResponse()

$cert = $webRequest.ServicePoint.Certificate

$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain

$chain.build($cert)

$chain.ChainElements.Certificate | ForEach-Object { set-content -value $($_.Export([security.Cryptography.X509Certificates.X509ContentType]::Cert)) -encoding byte -path "$pwd\$($_.Thumbprint).cer" }

7- To import the partner site certificates collect the generated files in the previous step and import them to the Logic app site into public key certificate

Optional note

No need to import the site certificate

8- to complete the import process we need to inform the Logic app site to pick the imported certificate and load them to the site and this is can be done by modifying the configuration value WEBSITE_LOAD_ROOT_CERTIFICATES to contain all the certificates sha-1 fingerprint

9- test if the Logic app was able to access the http endpoint

10- Still getting the same error? then you need to collect the network trace by

We can enable the trace by the below REST API:

Web Apps - Start Network Trace - REST API (Azure App Service)

Later reproduce the problem.

Again, we can stop the traces by the below REST API.

Web Apps - Stop Network Trace - REST API (Azure App Service)

then download the network trace from Kudu under the folder log

11- Analyze the network file using Wireshark

After identifying the server IP and the logic app IP we need to search for the Alert and see who is the one who rejects the handshaking

12- If it is server and if the client certificate is required then make sure that logic app sending the client certificate by searching in Wireshark for

(tls.handshake.certificates_length )

There could be an issue in the client certificate due to the issue Client certificate not included by Client certificate not included by HttpClientHandler in .net core · Issue #26531 · dotnet/runtime (github.com) and to solve that you need to have a new client certificate

13- If it is a client then verify that you have imported the certificate correctly

Continue reading...