Posted April 14, 20231 yr Using .NET code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model. You can implement the server thumbprint in the .NET application code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model and making HTTS request to a server configured with a private CA. When a web app acts as a client and makes an HTTPS call to an external server secured by a private CA, the web app uses its default installed trusted root CA’s public key to validate the server’s certificate. However, the remote server certificate is signed by a private CA, and since there is no such trusted CA in the web app’s trusted source list, it will not be validated by the web app. You cannot modify the list of Trusted Root Certificates in multi-tenant App Service. The lab below implements .NET code to resolve “Remote certificate is invalid”. Prerequisites Server: an Azure VM with IIS Server installed Client: windows web app Domain: emmamusic.org (Here, we use app service domain in Azure) Certificates: two certificates. One is signed by well-known CA and another one is signed by private CA. Well-known CA signed (GoDaddy) Here, we use azure app service certificate Private signed Create self-signed certificate by powershell (run as admin) Sitecore How-To: Setup a Self Signed Certificate in IIS | Mike Skutta Blog (mskutta.github.io) New-SelfSignedCertificate -DnsName "mysite.testingemma.com" -CertStoreLocation cert:\LocalMachine\My -FriendlyName "MySelfCert" -NotAfter (Get-Date).AddYears(10) Server Install IIS server in windows server 2019 Configure IIS Web Server on Windows Server 2019 | ComputingForGeeks [*]Remember to configure inbound NSG for HTTP and HTTPS [*]Install server certificate manually Installing server certificates manually in IIS - Microsoft Community Hub Client web app webapp-windows Implementation The following code is referencing below GitHub repository. ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com) The application code implements two HTTPS calls to remote server. HttpClientBase: make a normal https call to remote server https://emmamusic.org HttpClientCustom: make a https call with ServerCertificateCustomValidationCallback to remote server https://emmamusic.org Lab Test 1: remote server with server certificate signed by a well-known CA Success: HttpClientBase Test 2: remote server with server certificate signed by a private CA Failed: HttpClientBase is without custom validation and private CA is not listed in trusted root CA list of web app as well. If app service logs is enabled, you can use log stream to view the error message You can also use the command: openssl s_client -connect emmamusic.org:443 to check remote server certificate as illustrated below. Test 3: remote server with server certificate signed by a private CA Success: HttpClientCustom is with a custom server certificate validation. Though the private CA is not listed in trusted root CA list of web app, it is validated in the application code by thumbprint. Conclusion You cannot modify in the list of Trusted Root Certificates in multi-tenant App Service; so therefore, you have 3 solutions: Bind the server with a Trusted CA certificate. Use an App Service Environment Implement Server thumbprint in code. Reference Root CA on App Service - Azure App Service ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com) Sitecore How-To: Setup a Self Signed Certificate in IIS | Mike Skutta Blog (mskutta.github.io) Configure IIS Web Server on Windows Server 2019 | ComputingForGeeks Installing server certificates manually in IIS - Microsoft Community Hub Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.