1

I have created two Azure httpTrigger functions and serve them over https. During local development when I call azure function 2 from azure function 1 I get the following message:

The SSL connection could not be established, see inner exception.

The remote certificate is invalid according to the validation procedure.

After looking for a solution I found this (solution 1) and this (solution 2)

I tried the first solution (shown below) and it did not make a difference (Aside: I'm glad as I don't like removing the security checks for a call)

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) =>
{
    var isDevelopment = false;
    #if DEBUG
    isDevelopment = true;
    #endif
    if (isDevelopment) return true;
    return errors == SslPolicyErrors.None;
};

I considered solution 2 but when my application starts up it clearly states:

Generating a self signed certificate using openssl

My question is how do I call azure function 2 from azure function 1 without disabling ServerCertificateValidationCallback

UPDATE:

I created a certificate manually and it continued to return the same error. I have managed to supress the error for local development by replacing ServicePointManager.ServerCertificateValidationCallback with ConfigurePrimaryHttpMessageHandler when I set up my httpClient. Which now looks like below. But I would still like to know how to make the call without this being needed

services.AddHttpClient<ILocationDetailsService, LocationDetailsService>(client =>
            {
                var writeBaseUrl = configuration.GetValue<string>("WriteBaseUrl");
                client.BaseAddress = new Uri(writeBaseUrl); // get url from config
                client.DefaultRequestHeaders.Add("ContentType", "application/json");
            })
            .ConfigurePrimaryHttpMessageHandler(() =>
                new HttpClientHandler() 
                { 
                    ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => {
                        var isDevelopment = false;
#if DEBUG
                        isDevelopment = true;
#endif
                        if (isDevelopment) return true;
                        return sslPolicyErrors == SslPolicyErrors.None;
                    }
                }
            )

UPDATE 2:

@John Wu has suggested that I identify the error by navigating to the url in the browser. In firefox I get:

https://localhost:7072/api/contact The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

In chrome I get

NET::ERR_CERT_AUTHORITY_INVALID

Looks like I have my answer. Once I resolve it I will update with and answer. On a side note, it looks like all my endpoint are doing the same, I had been assuming that they were all working without errors until now. Thanks @John Wu

tony09uk
  • 2,841
  • 9
  • 45
  • 71
  • Have you examined the certificate? Why is it invalid? – John Wu Apr 24 '22 at 06:17
  • I have created and added a new certificate to be used and got the same result. – tony09uk Apr 24 '22 at 06:59
  • You need to find out why the certificate is considered invalid. Open a browser and navigate to the service URL, the browser will give you a better error message, and when you view the certificate it will tell you what the problem with it is on the first tab. – John Wu Apr 24 '22 at 07:44
  • @JohnWu what if the browser is fine, but when C# code is sending a request to this endpoint, I get "Remote certificate is invalid" – Vin Shahrdar Aug 21 '22 at 22:31

0 Answers0