0

I'm developing a Blazor Server App with VS2019. When running locally (debug or release) it is running and working fine. After publishing it to Azure App Services I get the remote certificate invalid message. At the moment I call a controller method.

Part if the razor page code is:

protected override async Task OnParametersSetAsync()
{
    await Task.Run(async () => await GetExperimentInfo());
}

protected async Task GetExperimentInfo()
{
    if (string.IsNullOrEmpty(eid))
    {
        ExperimentName = "Experiment entity not provided";
        return;
    }

    HttpClient client = new HttpClient();
    client.BaseAddress = new Uri(NavigationManager.BaseUri);

    ExpInfo = await client.GetFromJsonAsync<ExperimentInfo>("api/experiment/" + eid);
    if (ExpInfo == null)
    {
        ExperimentName = "Error: Experiment not found";
        return;
    }

    ExperimentName = ExpInfo.Name;
}

The 'eid' is specified as an argument calling the razor page.

When calling the controller GET method in the server app on Azure App Service directly returns the correct information. Calling the same controller GET method from within the razor page returns the AuthenticationException of invalid remote certificate!

The method called in the controller is:

    [Route("api/experiment/{eid}")]
    [HttpGet]
    public ExperimentInfo GetExperimentInfo(string eid)
    {
        var ExpInfo = GetSNExperimentData(eid);

        return ExpInfo;
    }

I've browsed a lot of articles on the web, but so far did not find a correct answer why and how to resolve this.

Anyone any idea or experience? Thx

DaddyCool
  • 31
  • 5
  • As the error says, HttpClient is complaining that the certificate on that https endpoint is not valid. You can have a look at the cert yourself and verify whether the certificate has expired / has something else wrong with it. – R J Apr 09 '21 at 08:52
  • Sometimes it can also happen that cert is valid, but not trusted by the server. (i.e. certificate is self-signed or the cert issuer is not a "trusted" party from your server's perspective. A workaround for this is documented in another stackoverflow question: https://stackoverflow.com/questions/777607/the-remote-certificate-is-invalid-according-to-the-validation-procedure-using?rq=1 – R J Apr 09 '21 at 08:55

1 Answers1

0

The problem was solved by Microsoft Azure Support (by Kevin Kessler) with the following explanation:

This indicates that whichever Root CA is within the remote web service's certificate chain, is not trusted. This is due to the Root CA not being contained within the app service's Trusted Root store.

The Azure web app resides on an App Service Environment (ASE). In this case you may be able to resolve the issue by uploading the needed certificates and assigning their thumbprint values to the app service settings.

Please see this document, which covers the use of certificates on an ASE and how to configure on an app service: https://learn.microsoft.com/en-us/azure/app-service/environment/certificates#private-client-certificate

Additionally, this StackOverflow article may provide further guidance: How to make the azure app service trust the certificates issued by the OnPrem CA?

Resolution: Uploaded Root and intermediate certificates to ASE

DaddyCool
  • 31
  • 5