0

I have a Certificate from Lets Encrypt in PEM format with a private key. I used OpenSSL to convert it to PFX format and then imported it in Azure Key Vault along with the password I used during conversion. I then deployed an application gateway and configured an HTTP listener to use the PFX certificate stored in the Key vault. When I send an HTTPS request to the domain name of the certificate I get SSL routines:ssl3_read_bytes:tlsv1 unrecognized name and from the browser I get ERR_SSL_UNRECOGNIZED_NAME_ALERT

Following Microsoft guidelines, I created a User assigned identity and gave permissions ["Get"] to the Key vault secret and certificate, and made sure there are no connectivity problems. I also don't get any errors in the gateway itself. Still get the same error.

Configuring the Application Gateway to use the certificate directly from my local setup, the requests are successful and I don't get the same error. Any ideas why this happens when I use the Azure Key Vault? I tried uploading the certificate directly in Azure portal, using the CLI and terraform (filebase64 function) but still get the error.

Improve this question
2
  • 2
    Just wanted to add there are a few errors that can arise from Key Vault connectivity issues (usually when trying to use private endpoint KV or access policy misconfiguration). The one you experienced "ERR_SSL_UNRECOGNIZED_NAME_ALERT" is a disabled listener due to the KV access issue. learn.microsoft.com/en-us/azure/application-gateway/… Commented May 17, 2023 at 14:19
  • yes, you are right. Adding the gateway subnet to the networking of the Key vault and adding the correct service endpoints to the gateway subnet did the trick Commented May 18, 2023 at 9:30

2 Answers 2

Reset to default
3

Adding Microsoft.KeyVault service endpoint to the AppGW Subnet and adding the subnet to the Key Vault allowed subnets solved the issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Application Gateway has many moving parts, making configuration generally quite laborious.

I did create an bicep Azure Quickstart Template that shows almost everything you need in a single end to end sample. The only part that is different is the certificate authority.

https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/deployment-script-azcli-agw-certificates/

I hope this helps.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.