Dedicated SSL instead of Advanced Certificate required for Azure

For azure application gateway, CN of the hostname is required
Troubleshoot backend health issues in Azure Application Gateway | Microsoft Docs
"
Backend server certificate invalid CA
Application Gateway checks whether the host name specified in the backend HTTP settings matches that of the CN presented by the backend server’s TLS/SSL certificate.
"
If I use the custom domain, I get Error 502 Host Error. Any recommendations would be appreciated? As the advanced certificate leads to Backend server certificate invalid CA.

Hi there,

If I understand correctly you are trying to configure Azure application gateway, and they require you to install an SSL/TLS certificate on their platform?

Cloudflare’s Universal/Dedicated/ACM certificates only exist on our edge and are not available for download - so you would not be able to install a certificate on the Application gateway.

Cloudflare does provide ‘Origin CA’ which allows customer’s to generate free SSL certificates that you can install on your origin (Azure) - but these certificates are only trusted by Cloudflare (essentially self-signed certificates) so it is possible that Azure will not support this - https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

It is possible you may need to generate a SSL certificate from a CA (LetsEncrypt, Digicert) to install on Azure if they require a valid trusted certificate to be installed. You should contact Microsoft support to confirm this.

Hi Damian, thank you for looking into this. We did install origin certificates on Azure and it seemed to work on the server for SSL binding.

User scenario

  1. Without application gateway

Requiring Azure App Service to use Cloudflare Origin CA
image

Leads to the following error

Which as you mentioned are self signed certificates by cloudflare and they are not accepted by Microsoft but are accepted by Cloudflare. So by not requiring the client certificates on Azure

image

Domain → Cloudflare (issues client certificate) → Azure app service (no verification done) → Works as expected

Not sure how, but if the option is “Allow” in client certificate. Azure should verify the client certificate and the above still works with Origin certificates.

  1. With application gateway

Domain → Cloudflare (issues client certificate) → Application Getway (does not accept it as you mentioned, it is self signed by cloudflare) → Azure app service (doesnt seem to get any call as it blocked earlier) → does not work

The hack we used

Domain → Cloudflare (issues client certificate) → Application Getway (x-forward-host to Domain) → Azure app service (no verification done) → works as expected

This hack does not work while (HTTP) Posting large files

How would cloudflare know the certificate installed on Azure if we were to get a an SSL certificate from CA?

I think what your looking for here is Authenticated origin pulls - You want Cloudflare to present a certificate to your origin so you can validate that the connection is coming from Cloudflare. We do support the ability for customers to do this - https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull but you need to use the certificate we provide on our PayGo plans.

If you want to use your own client certificates then that requires our Enterprise plan.

Thanks for information about Origin Pull Authentication, hopefully this fixes the re-negotiation issues while uploading large files. Will give this a try, I noticed Zone-Level — Cloudflare certificates has a global certificate. Is this different to that of the Orgin Certificate generated for the server? The client certificate and the edge certificate both dont seem to be validated by generated origin server certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.