Intermittent "Chain validation failed" SSL error on Azure App Service (*.azurewebsites.net)

Hello,

Since November 11, our Android app has started failing intermittently (around 70% of requests) when connecting to our Azure App Service endpoint. The app throws the following exception:

javax.net.ssl.SSLHandshakeException: Chain validation failed

Key facts:

• The issue is intermittent — some requests succeed, others fail.
• It affects multiple Android devices and carriers (mobile data).
• The Android app hasn’t been updated in 6+ months and worked perfectly before Nov 11.
• The App Service uses the default Azure SSL certificate (*.azurewebsites.net) — no custom SSL.
• Tested with TLS 1.2.
• Verified with openssl s_client:

verify error:num=20:unable to get local issuer certificate

• The certificate chain observed:

*.azurewebsites.net
Microsoft Azure RSA TLS Issuing CA 04
DigiCert Global Root G2

• Android SSL analyzer reports CRL errors (“IOException occurred”) on the intermediate CA.
• SSL Report in SSL Labs

What we’ve already ruled out:

• No app code or configuration changes.
• Not device- or Android-version specific (tested on Android 13).
• Not network/firewall-related (fails on public mobile data).
• TLS version/cipher changes on App Service did not fix it.

Hypothesis: The intermediate certificate (“Microsoft Azure RSA TLS Issuing CA 04”) might not always be sent or its CRL/OCSP endpoints might be intermittently unreachable, causing Android’s certificate chain validation to fail.

Request: Could the Azure team please verify if there’s an ongoing issue with the *.azurewebsites.net certificate chain or with the CRL/OCSP availability of its intermediate CA? This behavior started suddenly on November 11 without any deployment changes on our side.

Environment details:

Resource: (Azure App Service, URL available privately if required)

• Region: (West US)
• TLS: 1.2 tested

Date/time first observed: November 11, 2025

• Error reproducible in ~70% of attempts from Android clients.

Thank you!