The article will go through all the possible scenarios when the logic app is giving TLS error as below.
In the below flow chart, each step has a number which is elaborated farther in the down section
Digram Link
1-You are getting the error " The SSL connection could not be established" in your logic app standard
2-You need to run the following OpenSSL command in your Kudo that will tell you if the endpoint will require client certificate
openssl s_client -showcerts -connect client.badssl.com:443>site.pem
More information on Mutual SSL Authentication Link
3- Use any text editor to open the Pem file after you downloaded it from Kudu
4 and 5 - If the File has the below line
Site with client certificate |
Site without client certificate |
|
|
If the Pem file has the Client certificate, then that means you should obtain the correct client certificate from your partner.
usually, the certificate is created by the client and signed by the server
5.1- you need to convert the PFX file that has the client certificate private key to base64
//Extracting the byte from the pfx file
$fileContentBytes = Get-Content 'C: \pfx.pfx' -Encoding Byte
//Converting to Base64String
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C: \pfx-encoded-bytes.txt'
5.2- Inside the http action chose authentication type = client certificate and paste the base64 text for the PFX file
6- Export the site's public certificates using powershell
From Kudu powershell menu or any VM that can access the site write the below command that will loop through all the site certificate chains and download them into a files
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$webRequest = [Net.WebRequest]::Create("YOUR SSL Site")
$webRequest.GetResponse()
$cert = $webRequest.ServicePoint.Certificate
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.build($cert)
$chain.ChainElements.Certificate | ForEach-Object { set-content -value $($_.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)) -encoding byte -path "$pwd\$($_.Thumbprint).cer" }
$WEBSITE_LOAD_ROOT_CERTIFICATES=$chain.ChainElements.Certificate|select Thumbprint
Write-Host $WEBSITE_LOAD_ROOT_CERTIFICATES
Optional note
No need to import the site certificate
8- to complete the import process we need to inform the Logic app site to pick the imported certificate and load them to the site and this is can be done by modifying the configuration value WEBSITE_LOAD_ROOT_CERTIFICATES to contain all the certificates sha-1 fingerprint
9- test if the Logic app was able to access the http endpoint
10- Still getting the same error? then you need to collect the network trace by
We can enable the trace by the below REST API:
https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/start-network-trace
Later reproduce the problem.
Again, we can stop the traces by the below REST API.
https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/stop-network-trace
then download the network trace from Kudu under the folder log
11- Analyze the network file using Wireshark
After identifying the server IP and the logic app IP we need to search for the Alert and see who is the one who rejects the handshaking
12- If it is server and if the client certificate is required then make sure that logic app sending the client certificate by searching in Wireshark for
(tls.handshake.certificates_length )
There could be an issue in the client certificate due to the issue Client certificate not included by Client certificate not included by HttpClientHandler in .net core · Issue #26531 · dotnet/runtime (github.com) and to solve that you need to have a new client certificate
13- If it is a client then verify that you have imported the certificate correctly