Azure FrontDoor reject certificates

nfinkel · August 2, 2021, 9:20am

Hi All,

since Jul 28 2021 we are unable to deploy a valid certificate to the Azure FrontDoor.
according to Azure, at same time, they deploy a new validation that verify the chain of the certificate.
all certificate that we created are rejected on Azure FrontDoor because that validation is failing.

My domain is: *.channel.test.nati700.hvdsdev.tv
It produced this output: all required pem files
My web server is (include version): Azure FrontDoor

From Azure support:

I was checking the files you sent me and the chain doesn’t look right
As you can see, on the leaf certificate the intermediate is signed by DST Root CA X3 but on the intermediate the Root is ISRG Root X1, this will prevent the system from validating the certificate as there are 2 different Root CAs involved.
 
I also checked the intermediate CA thumbprint (R3) from the leaf certificate and checked the one present on the chain file.
Looks like there are different intermediate CAs named R3 and the leaf certificate is using a different one from the one present on the chain. We need to correct this, since it is now a requirement,

rg305 · August 2, 2021, 2:26pm

Hi @nfinkel, and welcome to the LE community forum

Without showing the private key file, please show the other files you sent to Azure.

nfinkel · August 3, 2021, 5:53am

Hi All,

please find attached the files that was generated bu certbot
cert1.pem (1.9 KB)
chain1.pem (3.7 KB)
fullchain1.pem (5.6 KB)

rg305 · August 3, 2021, 5:13pm

Try using this full chain file instead:
fullchainTEST.pem (4.6 KB)

nfinkel · August 4, 2021, 11:33am

Hi Rudy,

The full chain that you provided above is working as expected on Azure,
Can you please elaborate what did you change and what should we do to support it?

Thanks

rg305 · August 4, 2021, 1:48pm

In short, there are two possible chains.
The default one you were given (for unknown reasons) doesn't work with your system.
I simply replaced the chain.pem portion to use the other trust path.
There should be a way to instruct the ACME client to always use that other trust path.

nfinkel · August 5, 2021, 8:12am

HI Rudy,

Thanks for the information. we manage to basically understand the fix.
our system work with many types of devices (Android/IOS/Smart TV/PC) old and new and we try to understand what should we do.
we notice the expiration of the "DST Root CA X3" certificate and we don't know what should we do.

Can you please explain as what should we do?

Thanks

rg305 · August 5, 2021, 6:05pm

I can't say that I'm qualified (nor informed enough about your specific situation) to tell you what you should do... beyond recommending that you review the various posts regarding the upcoming root expiration and, if needed, opening a new topic to better discuss any unanswered questions.

system · September 4, 2021, 6:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate update issue Help	8	348	May 3, 2024
Fullchain.pem contains an invalid Intermediate Help	3	825	October 13, 2022
Certificate chain not valid Help	4	1472	March 20, 2023
SSL Lab shows my certificate chain is incomplete Help	16	202	June 22, 2024
IIS 10 / Azure App Service and long old-Android compatible chain Help	10	945	October 15, 2022

Azure FrontDoor reject certificates

Related topics