Azure-docs: Certificate chain reported as missing Intermediate certificate, throwing 502 error, with V2 Application Gateway only. V1 is fine.

@loopfish Thank you for your feedback . We will investigate and update the thread further.

@loopfish, Try checking the intermediate certs on the backend cert. Here is an online tool for checking SSL certificates. Inccorect bundled cert would show something like one below:

A Properly Bundled Cert would show something like the one below:

Resolution:
Certificate has to be properly bundled again including the Intermediate Certs. Please use a bundle of Root and Intermediate Certs.

There is nothing wrong with the cert bundle. As I mentioned, it works absolutely fine with a v1 AG, and the Digicert SSL checker confirms all 3 parts of the cert are present and correct

@loopfish, This requires a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. In this case, could you send an email to AzCommunity[at]Microsoft[dot]com referencing this thread and your subscription id?

Thank you for your cooperation on this matter and look forward to your reply.

We are closing this issue for now. If there are further questions regarding this matter, please reply and we will gladly continue the discussion.

I have a similar problem with normal Virtual Machines and Azure keyvault. I uploaded a bundle cert (server + intermediate) to Azure keyvault successfully. Then added the secret to a linux VM, so it is automatically fetched to /var/lib/waagent. However, the .crt file in the folder only includes the server certificate, i.e., intermediate certificate is no longer present.

No errors were thrown at any given point. Furthermore, if I download the cert in PFX/PEM format from Azure portal UI, the intermediate cert is still present in this file.

Why is the intermediate cert removed from the .crt file?

Unfortunately Microsoft don't seem to want to know, on this occasion. I spent a lot of time with support and escalation demonstrating there was nothing wrong with my cert bundle, but they insisted it was. Given up using the product due to this.

@SubhashVasarapu-MSFT Any comment on this?

Any comment on this?

I just upgraded an AppGw V1 into V2 and looks like I need to roll it back. Intermediate CA certificate needs to be delivered in the TLS handshake. I'm even using the same certificate .pfx file than with V1 and it worked there. With V2, no such joy.

Got the same issue, the intermediate certs are not being sent during the TLS handshake

@shashishailaj please could you re-open this issue for investigation?

I got my AppGw V2 working. The clues for solution are scattered, but they are out there.

What Azure fails to properly document is the new requirement of PFX-file to contain the intermediate too. However, my case was bit complex. I had bound my AppGw certificate into Azure Key Vault. However, you cannot have a Key Vault Certificate with intermediate (or entire chain).

So, I detached the Key Vault association and wrote some PowerShell scripting to export a .Net Security.Cryptography.X509Certificates.X509Certificate2Collection and Set-AzureRmApplicationGatewaySslCertificate that into AppGw. Works great!

One would imagine using a key vault is encouraged. Indeed that is what I am using.

Yes, using a Key Vault is encouraged and that's what I'm still doing.

The solution is obvious, store the Base64-encoded PFX-file into a secret.
The code I'm using is adapted from https://www.rahulpnath.com/blog/pfx-certificate-in-azure-key-vault/

I experienced the same issues that others above have been facing. In particular, we only had the SSL validation errors for certain devices like Android and Python on Windows. But we also had the same symptoms that were mentioned here: https://github.com/MicrosoftDocs/azure-docs/issues/35298#issuecomment-514918980

After contacting Azure support, we did not have any luck solving things, but we eventually just exported the certificate with all intermediary certificates in the chain using the Certificate Manager MMC Snap In.

While this was a very easy problem to solve, it was not particularly discoverable.

I experienced the same issues that others above have been facing. In particular, we only had the SSL validation errors for certain devices like Android and Python on Windows. But we also had the same symptoms that were mentioned here: #35298 (comment)

After contacting Azure support, we did not have any luck solving things, but we eventually just exported the certificate with all intermediary certificates in the chain using the Certificate Manager MMC Snap In.

While this was a very easy problem to solve, it was not particularly discoverable.

i have implemented your solution and it worked for me, but now whrn i test my ssl it shows "Incorrect order, Contains anchor"

--

i have implemented your solution and it worked for me, but now whrn i test my ssl it shows "Incorrect order, Contains anchor"

You're not supposed to have the anchor cert in your AppGw. Only intermediate and site cert needed.

Having the anchor there isn't an error. The client is supposed to ignore it. This obviously will vary.

i have implemented your solution and it worked for me, but now whrn i test my ssl it shows "Incorrect order, Contains anchor"

You're not supposed to have the anchor cert in your AppGw. Only intermediate and site cert needed.

Having the anchor there isn't an error. The client is supposed to ignore it. This obviously will vary.

i have used .pfx file on appGw . now i am having

Chain issues | Incorrect order, Contains anchor.what is this.

-- | --