locked
Azure https communication: Could not establish trust relationship for the SSL/TLS secure channel. RRS feed

  • Question

  • I have an Azure worker role that hosts a WCF service.  I am using basicHttpBinding with Transport security and I am using an https address.

    When the role starts, I can go into my browser and enter something like https://myapp.cloudapp.net:10500/ and then I see a web page where it warns me about the cert. I can select ok and then see the typical service page.

    If I try to hit the address above via the WCF test client, I receive the error:

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."}

    I get the same error if I add a service reference in a console app.

    The certificate I am using for https is self-signed on my machine on my companies domain.

    Do I need to somehow create a signed certificate for this to work?


    STom

    Friday, November 16, 2012 3:50 AM

Answers

  • To enable SSL with self signed certificate on azure follow the steps provided here :

    http://azuresecurity.codeplex.com/wikipage?title=How%20to%20Enable%20SSL%20with%20a%20Self-Signed%20Certificate%20on%20Windows%20Azure

    ----------------------------

    Vijay Kulkarni, Avanade

    Is this reply helpful to you?

    • Marked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    Friday, November 16, 2012 4:05 PM
  • Hi, the most likely cause is the certificate is not issued to the domain myapp.cloudapp.net. A certificate is trusted if it is used on the domain which it is issued to. For example, if you have a certificate issued to yourcompany.com or localhost, you cannot use it for myapp.cloudapp.net.

    It is recommended to purchase a real certificate for myapp.cloudapp.net. Alternatively, please try to issue a self signed certificate for the specific domain. You can also ask further questions on a certificate related forum.

    Best Regards


    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    • Marked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    Tuesday, November 20, 2012 8:43 AM

All replies

  • This is not really an Azure-specific issue but there are two simple ways to fix this:

    1) Purchase a domain name and an SSL certificate for this domain name. 

    2) Create a root authority certificate and using it, a self-signed certificate.  Follow instructions here


    Auto-scaling & monitoring service for Windows Azure applications at http://www.paraleap.com


    Friday, November 16, 2012 5:46 AM
  • So then, what you are calling the 'root authority certificate', they are calling 'self-signed certificate authority' and what you call 'self-signed certificate' they are calling 'code signed SPC certificate'???

    Doing this, which certificate would I reference in my Azure app, the self-signed certificate (not the root authority)...and also I'd put the self-signed certificate out into my cloud app?

    Thanks!


    STom

    • Marked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    • Unmarked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    Friday, November 16, 2012 1:57 PM
  • To enable SSL with self signed certificate on azure follow the steps provided here :

    http://azuresecurity.codeplex.com/wikipage?title=How%20to%20Enable%20SSL%20with%20a%20Self-Signed%20Certificate%20on%20Windows%20Azure

    ----------------------------

    Vijay Kulkarni, Avanade

    Is this reply helpful to you?

    • Marked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    Friday, November 16, 2012 4:05 PM
  • Ok, I have been very meticulous in trying to follow these processes.

    First of all, the reference to the article http://azuresecurity.codeplex.com/wikipage?title=How%20to%20Enable%20SSL%20with%20a%20Self-Signed%20Certificate%20on%20Windows%20Azure is incorrect. If you actually run the commands as it states, it puts the certificate in the 'Certificates - Current User->Personal->Certificates' store. That is not where it needs to be in order to show up in the VS list. To show up in that list, it needs to be in the 'Certificates (Local Computer) ->Personal->Certificates' store. I know this for a fact because I tried it over and over again.

    HOwever, even after I created the certs and put them in the right place and also deployed the cert out to Azure, the same problem happens. When using the WCF test client, or after adding a service reference in a console client app, I get the error:

    Error: Cannot obtain Metadata from https://myapp.cloudapp.net:10500/ If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.  For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error    URI: https://myapp.cloudapp.net:10500/    Metadata contains a reference that cannot be resolved: 'https://lwssltest.cloudapp.net:10500/'.    Could not establish trust relationship for the SSL/TLS secure channel with authority 'lwssltest.cloudapp.net:10500'.    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.    The remote certificate is invalid according to the validation procedure.HTTP GET Error    URI: https://myapp.cloudapp.net:10500/    There was an error downloading 'https://myapp.cloudapp.net:10500/'.    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.    The remote certificate is invalid according to the validation procedure.

    Now, if I go into my browser and go to the address https://myapp.cloudapp.net:10500/ I will be prompted for an unsafe certificate. If I click ok, it will then show me a service screen as you would expect.

    So what is the real issue here? Is it that the WCF test client or my test app can't validate the certificate? I noticed that if I used the tool WCF Storm Lite, it has no problems connecting to the https site.

    Thanks!


    STom

    Monday, November 19, 2012 1:31 AM
  • Hi, the most likely cause is the certificate is not issued to the domain myapp.cloudapp.net. A certificate is trusted if it is used on the domain which it is issued to. For example, if you have a certificate issued to yourcompany.com or localhost, you cannot use it for myapp.cloudapp.net.

    It is recommended to purchase a real certificate for myapp.cloudapp.net. Alternatively, please try to issue a self signed certificate for the specific domain. You can also ask further questions on a certificate related forum.

    Best Regards


    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    • Marked as answer by Johnson - MSFT Monday, November 26, 2012 4:49 AM
    Tuesday, November 20, 2012 8:43 AM