HTTPS endpoint troubleshooting in Logic App standard
Published Jan 30 2023 07:36 AM 6,083 Views

The article will go through all the possible scenarios when the logic app is giving TLS error as below.




In the below flow chart, each step has a number which is elaborated farther in the down section



Digram Link 





1-You are getting the error " The SSL connection could not be established" in your logic app standard


2-You need to run the following OpenSSL command in your Kudo that will tell you if the endpoint will require client certificate





openssl s_client -showcerts  -connect>site.pem






More information on Mutual SSL Authentication Link


3- Use any text editor to open the Pem file after you downloaded it from Kudu


4 and 5 - If the File has the below line

Site with client certificate

Site without client certificate





If the Pem file has the Client certificate, then that means you should obtain the correct client certificate from your partner.

usually, the certificate is created by the client and signed by the server


 5.1- you need to convert the PFX file that has the client certificate private key to base64






//Extracting the byte from the pfx file
$fileContentBytes = Get-Content 'C: \pfx.pfx' -Encoding Byte
//Converting to Base64String
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C: \pfx-encoded-bytes.txt'







5.2- Inside the http action chose authentication type = client certificate  and paste the base64 text for the PFX file



6- Export the site's public certificates using powershell

From Kudu powershell menu or any VM that can access the site  write the below command that will loop through all the site certificate chains and download them into a files




[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$webRequest = [Net.WebRequest]::Create("YOUR SSL Site")
$cert = $webRequest.ServicePoint.Certificate
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.ChainElements.Certificate | ForEach-Object { set-content -value $($_.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)) -encoding byte -path "$pwd\$($_.Thumbprint).cer" }
$WEBSITE_LOAD_ROOT_CERTIFICATES=$chain.ChainElements.Certificate|select Thumbprint 









Optional note

No need to import the site certificate



8- to complete the import process we need to inform the Logic app site to pick the imported certificate and load them to the site and this is can be done by modifying the configuration value WEBSITE_LOAD_ROOT_CERTIFICATES to contain all the certificates sha-1 fingerprint  


9- test if the Logic app was able to access the http endpoint


10- Still getting the same error? then you need to collect the network trace by

We can enable the trace by the below REST API:

Later reproduce the problem.

Again, we can stop the traces by the below REST API.

then download the network trace from Kudu under the folder log

11- Analyze the network file using Wireshark


After identifying the server IP and the logic app IP we need to search for the Alert and see who is the one who rejects the handshaking


12- If it is server and if the client certificate is required then make sure that logic app sending the client certificate by searching in Wireshark for

(tls.handshake.certificates_length )


There could be an issue in the client certificate due to the issue Client certificate not included by Client certificate not included by HttpClientHandler in .net core · Issue #26531 · dotnet/runtime (g...  and to solve that you need to have a new client certificate


13- If it is a client then verify that  you have imported the certificate correctly


Version history
Last update:
‎Mar 01 2023 12:01 AM
Updated by: