Remote certificate is invalid when calling an external endpoint from web app
Published Apr 13 2023 05:51 PM 4,736 Views
Microsoft

Using .NET code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model.

 

You can implement the server thumbprint in the .NET application code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model and making HTTS request to a server configured with a private CA.

 

When a web app acts as a client and makes an HTTPS call to an external server secured by a private CA, the web app uses its default installed trusted root CA’s public key to validate the server’s certificate. However, the remote server certificate is signed by a private CA, and since there is no such trusted CA in the web app’s trusted source list, it will not be validated by the web app. You cannot modify the list of Trusted Root Certificates in multi-tenant App Service.

 

The lab below implements .NET code to resolve “Remote certificate is invalid”.

 

Prerequisites

  • Server: an Azure VM with IIS Server installed
  • Client: windows web app
  • Domain: emmamusic.org (Here, we use app service domain in Azure)
  • Certificates: two certificates. One is signed by well-known CA and another one is signed by private CA.

Server

  • Emma_Yen_2-1680497426494.png

Client

  • web app webapp-windows
    Emma_Yen_3-1680497426495.png

 

Implementation

The following code is referencing below GitHub repository.

ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com)

 

The application code implements two HTTPS calls to remote server.

Lab

Test 1: remote server with server certificate signed by a well-known CA

Success: HttpClientBase

Emma_Yen_6-1680497426499.png

Test 2: remote server with server certificate signed by a private CA

Failed: HttpClientBase is without custom validation and private CA is not listed in trusted root CA list of web app as well. 

Emma_Yen_7-1680497426500.png

 

If app service logs is enabled, you can use log stream to view the error message Emma_Yen_8-1680497426502.png

 

You can also use the command: openssl s_client -connect emmamusic.org:443 to check remote server certificate as illustrated below.

Emma_Yen_9-1680497426504.png

 

Test 3: remote server with server certificate signed by a private CA

Success: HttpClientCustom is with a custom server certificate validation. Though the private CA is not listed in trusted root CA list of web app, it is validated in the application code by thumbprint. 

Emma_Yen_10-1680497426504.png

Emma_Yen_11-1680497426505.png

 

Conclusion

You cannot modify in the list of Trusted Root Certificates in multi-tenant App Service; so therefore, you have 3 solutions:

  1. Bind the server with a Trusted CA certificate.
  2. Use an App Service Environment
  3. Implement Server thumbprint in code.

Reference

Co-Authors
Version history
Last update:
‎Apr 03 2023 03:42 PM
Updated by: