Using .NET code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model.
You can implement the server thumbprint in the .NET application code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model and making HTTS request to a server configured with a private CA.
When a web app acts as a client and makes an HTTPS call to an external server secured by a private CA, the web app uses its default installed trusted root CA’s public key to validate the server’s certificate. However, the remote server certificate is signed by a private CA, and since there is no such trusted CA in the web app’s trusted source list, it will not be validated by the web app. You cannot modify the list of Trusted Root Certificates in multi-tenant App Service.
The lab below implements .NET code to resolve “Remote certificate is invalid”.
Prerequisites
- Server: an Azure VM with IIS Server installed
- Client: windows web app
- Domain: emmamusic.org (Here, we use app service domain in Azure)
- Certificates: two certificates. One is signed by well-known CA and another one is signed by private CA.
- Well-known CA signed (GoDaddy) Here, we use azure app service certificate
- Private signed
- Create self-signed certificate by powershell (run as admin)
Sitecore How-To: Setup a Self Signed Certificate in IIS | Mike Skutta Blog (mskutta.github.io) - New-SelfSignedCertificate -DnsName "mysite.testingemma.com" -CertStoreLocation cert:\LocalMachine\My -FriendlyName "MySelfCert" -NotAfter (Get-Date).AddYears(10)
- Create self-signed certificate by powershell (run as admin)
Server
- Install IIS server in windows server 2019
- Remember to configure inbound NSG for HTTP and HTTPS
- Install server certificate manually
Client
- web app webapp-windows
Implementation
The following code is referencing below GitHub repository.
ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com)
The application code implements two HTTPS calls to remote server.
- HttpClientBase: make a normal https call to remote server https://emmamusic.org
- HttpClientCustom: make a https call with ServerCertificateCustomValidationCallback to remote server https://emmamusic.org
Lab
Test 1: remote server with server certificate signed by a well-known CA
Success: HttpClientBase
Test 2: remote server with server certificate signed by a private CA
Failed: HttpClientBase is without custom validation and private CA is not listed in trusted root CA list of web app as well.
If app service logs is enabled, you can use log stream to view the error message
You can also use the command: openssl s_client -connect emmamusic.org:443 to check remote server certificate as illustrated below.
Test 3: remote server with server certificate signed by a private CA
Success: HttpClientCustom is with a custom server certificate validation. Though the private CA is not listed in trusted root CA list of web app, it is validated in the application code by thumbprint.
Conclusion
You cannot modify in the list of Trusted Root Certificates in multi-tenant App Service; so therefore, you have 3 solutions:
- Bind the server with a Trusted CA certificate.
- Use an App Service Environment
- Implement Server thumbprint in code.
Reference
- Root CA on App Service - Azure App Service
- ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com)
- Sitecore How-To: Setup a Self Signed Certificate in IIS | Mike Skutta Blog (mskutta.github.io)
- Configure IIS Web Server on Windows Server 2019 | ComputingForGeeks
- Installing server certificates manually in IIS - Microsoft Community Hub