英文:
How to create a root certificate for application gateway?
问题
我有一个托管在Azure应用服务中的Web应用程序,并且与其域关联的有一个证书,该证书存储在密钥保管库中。
我想创建一个带有Web应用程序防火墙(WAF v2层)的应用程序网关。在该应用程序网关中,我需要在后端设置中使用一个证书。
我尝试在此处使用与密钥保管库中相同的证书,但我遇到了“ApplicationGatewayTrustedRootCertificateInvalidData”的错误。
那么我应该在应用程序网关中使用哪个根证书,并在应用服务中使用它呢?
我尝试创建一个自签名的根证书,但由于此原因,后端服务器的健康状态显示为不健康,并显示错误消息 -
后端服务器证书的通用名称(CN)与健康探测配置中输入的主机标头(v2 SKU)或后端池中的FQDN(v1 SKU)不匹配。请验证主机名是否与后端服务器证书的CN匹配。要了解更多信息,请访问 - https://aka.ms/backendcertcnmismatch。
英文:
I have a webapp hosted in Azure app service and has a certificate associated with its domain and the certificate is stored in the keyvault.
I want to create one application gateway with web application firewall(WAF v2 tier). In that application gateway, I need to use one certificate in the backend setting.
I tried to use the same certificate which is present is the keyvault here, but I am getting the error of "ApplicationGatewayTrustedRootCertificateInvalidData".
So which root certificate should I use in the application gateway and use it in app service too?
I tried to create one self signed root certificate but due to this the health of backend servers are coming as unhealthy with the error message -
The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate. To learn more visit - https://aka.ms/backendcertcnmismatch.
答案1
得分: 2
Application Gateway 验证后端 HTTP 设置中列出的主机名是否与后端服务器的 TLS/SSL 证书显示的 CN 匹配。
如果收到此错误消息,如果选择从后端 HTTP 设置中选择主机名,HTTP 设置,如果使用默认探测器,则会输入 127.0.0.1 作为主机名。请尝试创建自定义探测器并将其链接到 HTTP 设置,如果这不是所需的值。
应用程序网关的后端健康状况依赖于在 HTTP 设置中上传的自定义 CA 根证书。只有由已知可信任的根证书签名的后端证书与健康探测器兼容。尝试从网关的 HTTP 设置中删除已知的 CA 根证书,然后可以添加一个不带根证书的探测器。
根据 lovelinuxalot 在此 GitHub 尝试在不测试健康检查的情况下添加探测器,并确保健康探测器识别网关 HTTP 设置上上传的受信任的根证书。
点击 win+R -> 输入 certlm.msc 并选择 Enter。 -> 单击 个人 -》 证书。
双击证书 -》详细信息标签 -》主题 检查证书的 CN,然后将其输入到自定义探测器的主机名字段或在 HTTP 设置中(如果选择了从后端 HTTP 设置中选择主机名)。如果这不是您网站所需的主机名,您需要获取该域的证书或在自定义探测器或 HTTP 选项的设置中提供正确的主机名。参考 此链接。
尝试使用 在线工具 检查后端证书的中间证书。
参考:
AppGateway V2 证书问题 由 GitaraniSharma 提供。
英文:
I tried to reproduce the same in my environment I got the same error:
Application Gateway verify that the host name listed in the backend HTTP settings corresponds to the CN displayed by the backend server's TLS/SSL certificate.
If you receive this error message, HTTP settings if Pick hostname from backend HTTP settings is selected. If you're using a default probe, 127.0.0.1 will be entered as the host name. Try to create a custom probe and link it to the HTTP settings if that is not the required value.
Backend health of the application Gateway it works with the custom CA root certificate uploaded in the HTTP settings. Only backend certificates that are signed by a known trustworthy root certificate are compatible with health probes. Try removing well known CA root certificate from the HTTP settings on the Gateway and I am able to add a probe without the root certificate.
As per lovelinuxalot, In this github try to Add the probes without testing health check and Make sure Health probes recognize the trusted root certificates uploaded on the gateway HTTP settings
Click win+R -> type certlm.msc and select Enter. -> click on personal -> certificates.
Double click on certificates -> details tab -> subject Check the certificate's CN from its details and enter it in the custom probe's host name field or in the HTTP settings (if Pick hostname from backend HTTP settings is selected). If that's not desired host name for your website, you need to either obtain a certificate for that domain or provide the proper host name in the settings of the custom probe or HTTP option. Refer this.
Try to check the intermediate certs on the backend cert of online tool for checking SSL certificates.
References:
CN of backend server certificate does not match the host header in health probe configuration
AppGateway V2 Certificate issue by GitaraniSharma
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论