相关文章推荐
完美的红金鱼  ·  mongodb内嵌文档操作_mob64ca1 ...·  9 月前    · 
酒量小的牛排  ·  关于在vscode中转换ui文件为py文件的 ...·  1 年前    · 
善良的芹菜  ·  MATLAB作图时几个超好看的淡色系 - 知乎·  1 年前    · 
仗义的山羊  ·  高并发场景下JVM调优实践之路 - 掘金·  1 年前    · 
Code  ›  Azure AD Application Proxy: Certificate by the backend server is sometimes not valid (Event 13001) - Microsoft Q&A
https://learn.microsoft.com/en-us/answers/questions/856102/azure-ad-application-proxy-certificate-by-the-back
孤独的铁链
1 年前

Hello,

I can't really figure out the Azure AD Application Proxy.

The following standard scenario: Internally there is a NGINX server (SLES 15 SP3 up to date), which can be accessed via HTTP/S. The website there can be reached internally via any browser using TLSv1.2 and TLSv1.3 without any problems.

This NGINX server is also provided externally via the Azure AD Application Proxy Connector (Windows Server 2019 up to date, connector is also patched, .NET Framework 4.7.2). In principle, this works so far, BUT sometimes (every minute or so after a few refreshes), the following error message appears:

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.
For more details, check the Application Proxy Connector Event Log for reported errors.

In the mentioned event log from Azure AD Application Proxy Connector, the information is not more helpful.

The SSL server certificate presented to Microsoft AAD Application Proxy Connector by the backend server is not valid; the certificate is not trusted.

I think the error message is not quite right here. The connection does work, which means that the certificate is trusted. Just not always. My suspicion is that it might have something to do with the TLS cipher suites. I've already tested different cipher suite constellations in NGINX. This makes the error message appear more or less often. For example, when I adopt NGINX's default for ssl_ciphers, I only get this error message.

At the moment I use the following TLS configuration in NGINX. This is the only one that allows the page load halfway often. 

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;

By the way, I can probably reproduce the error with Invoke-WebRequest in PowerShell. Again, sometimes an error message comes, but not always.


Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.  

At line:1 char:1  


  •  Invoke-WebRequest -Uri https://abc.example.com  
    • 

  •  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    • 

  •  CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc  
    
eption  
    • 

  •  FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    • 

    Has anyone gotten something like this to work yet?
    

    Thanks and best regards.
    
						
    Hello @Tortigar  ,    
    

    Thanks for reaching out and apologies for the delayed response.    
    

    This occurs when the Azure AD Application Proxy connector can establish a TCP connection to the backend server's IP address (based on the hostname in the internal URL - for example, https://app1.contoso.com/ - hostname stated in bold), but it is unable to negotiate an SSL session.    
    

    These are the most common root causes of this problem.    
    

  •  Network problem - Incorrect TLS protocol setup (protocol, cipher suite, algorithm, there are further settings)    
    • 

  •  No certificate or an invalid certificate is bound on the backend server     
    • 

  •  The connector server is unable to validate the server's SSL certificate (name mismatch, expired certificate etc.)    
    • 

    In this scenario, the "Azure AD Application Proxy Connector Event Logs" provide more info regarding Bad Gateway difficulties (such as Secure Sockets Layer (SSL)) failures, and example Admin logs are provided below for your reference.    
    

    To answer your question related with cipher suite, you can use following site https://www.ssllabs.com/ssltest/analyze.html? to validate list of suites in server-preferred order and make sure you have them configured in your NGINX server and below is for your reference.    
    

    If none of these work, I would recommend you to reach out to Azure support because this would require a more extensive investigation. If you do not have a support plan, please send an email with the subject line “Attn: SivaKumarS” to AzCommunity[at]Microsoft[dot]com referencing this article and your subscription id, and we will help you get one-time free technical support.    
    

    Hope it helps!!!    
    

    -----    
    
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
     
    推荐文章
    完美的红金鱼  ·  mongodb内嵌文档操作_mob64ca12dc54c5的技术博客_51CTO博客
    9 月前
    酒量小的牛排  ·  关于在vscode中转换ui文件为py文件的错误,一直没有找到解决方法? - 知乎
    1 年前
    善良的芹菜  ·  MATLAB作图时几个超好看的淡色系 - 知乎
    1 年前
    仗义的山羊  ·  高并发场景下JVM调优实践之路 - 掘金
    1 年前
    今天看啥   ·   Py中国   ·   codingpro   ·   藏经阁   ·   小百科   ·   link之家   ·   卧龙AI搜索
    删除内容请联系邮箱 2879853325@qq.com
    Code - 代码工具平台
    © 2024 ~ 沪ICP备11025650号