Blog Post

Azure Integration Services Blog
3 MIN READ

HTTPS endpoint troubleshooting in Logic App standard

Mohammed_Barqawi's avatar
Jan 30, 2023

The article will go through all the possible scenarios when the logic app is giving TLS error as below.

 

 

In the below flow chart, each step has a number which is elaborated farther in the down section

 

Digram Link 

 

 

 

 

1-You are getting the error " The SSL connection could not be established" in your logic app standard

 

2-You need to run the following OpenSSL command in your Kudo that will tell you if the endpoint will require client certificate

 

 

 

 

openssl s_client -showcerts  -connect client.badssl.com:443>site.pem

 

 

 

 

 

More information on Mutual SSL Authentication Link

 

3- Use any text editor to open the Pem file after you downloaded it from Kudu

 

4 and 5 - If the File has the below line

Site with client certificate

Site without client certificate

 

 

If the Pem file has the Client certificate, then that means you should obtain the correct client certificate from your partner.

usually, the certificate is created by the client and signed by the server

 

 5.1- you need to convert the PFX file that has the client certificate private key to base64

 

 

 

 

 

//Extracting the byte from the pfx file
$fileContentBytes = Get-Content 'C: \pfx.pfx' -Encoding Byte
//Converting to Base64String
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C: \pfx-encoded-bytes.txt'

 

 

 

 

 

 

5.2- Inside the http action chose authentication type = client certificate  and paste the base64 text for the PFX file

 

6- Export the site's public certificates using powershell

From Kudu powershell menu or any VM that can access the site  write the below command that will loop through all the site certificate chains and download them into a files

 

 

 

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$webRequest = [Net.WebRequest]::Create("YOUR SSL Site")
$webRequest.GetResponse()
$cert = $webRequest.ServicePoint.Certificate
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.build($cert)
$chain.ChainElements.Certificate | ForEach-Object { set-content -value $($_.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)) -encoding byte -path "$pwd\$($_.Thumbprint).cer" }
$WEBSITE_LOAD_ROOT_CERTIFICATES=$chain.ChainElements.Certificate|select Thumbprint 


Write-Host $WEBSITE_LOAD_ROOT_CERTIFICATES

 

 

 

 

 

 

Optional note

No need to import the site certificate

 

8- to complete the import process we need to inform the Logic app site to pick the imported certificate and load them to the site and this is can be done by modifying the configuration value WEBSITE_LOAD_ROOT_CERTIFICATES to contain all the certificates sha-1 fingerprint  

 

9- test if the Logic app was able to access the http endpoint

 

10- Still getting the same error? then you need to collect the network trace by

We can enable the trace by the below REST API:

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/start-network-trace

Later reproduce the problem.

Again, we can stop the traces by the below REST API.

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/stop-network-trace

then download the network trace from Kudu under the folder log

11- Analyze the network file using Wireshark

After identifying the server IP and the logic app IP we need to search for the Alert and see who is the one who rejects the handshaking

 

12- If it is server and if the client certificate is required then make sure that logic app sending the client certificate by searching in Wireshark for

(tls.handshake.certificates_length )

There could be an issue in the client certificate due to the issue Client certificate not included by Client certificate not included by HttpClientHandler in .net core · Issue #26531 · dotnet/runtime (github.com)  and to solve that you need to have a new client certificate

 

13- If it is a client then verify that  you have imported the certificate correctly

 

Updated Mar 01, 2023
Version 3.0
No CommentsBe the first to comment