Application Gateway: Incorrect certificate chain or order

SSL management is always a pain. We should check SSL certificates periodically or implement a solution that carries all management tasks for us (let’s encrypt and cert-manager, for instance). And if there is an issue with a certificate, it’s a always a subject of downtime, so we have to find a solution as quickly as possible. Furthermore, all websites should meet requirements to complete tests and get a “green” mark from mozilla observatory or ssl shopper checker, for example. In this post, we’ll discuss possible issues you may face during the ssl check: “incorrect certificate chain” or “incorrect order. contains anchor”

Please note that my setup includes azure application gateway and azure kubernetes service. The following steps are general, however, may require using different certificate formats or signature algorithms. Check your environment’s requirements beforehand.

  • In my case, it was a wrong intermediate certificate provided by GoDaddy. So, I went to the godaddy site, clicked on certificate and copied intermediate certificate to cer file intermediate.cer
Godaddy.com > Intermediate certificate
  • Make sure you have openssl on your computer and create a new pfx that contains a certificate, private key and intermediate certificate:
    openssl pkcs12 -export -out appgw-cert.pfx -inkey .\pk.key -in .\ssl.crt -certfile .\intermediate.cer
  • If you have an old pfx with a valid certificate and key, do these commands:
    openssl pkcs12 -in old.pfx -nocerts -nodes -out pk.key
    openssl pkcs12 -in old.pfx -clcerts -nokeys -out cert.crt
    openssl pkcs12 -export -out new.pfx -inkey .\pk.key -in .\cert.crt -certfile .\intermediate.cer
  • Type password for the pfx, and then update azure application gateway if needed:
    $appGW = Get-AzApplicationGateway -Name "ApplicationGatewayName"ResourceGroupName "ResourceGroupName"
    $password = ConvertTo-SecureString $passwordPlainString -AsPlainText -Force
    $cert = Set-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGW -Name "CertName" -CertificateFile "D:\certname.pfx" -Password $password
  • Also, export pfx certificate to your personal certificate store and make sure that the correct chain is used or use ssllabs.com for already updated certificate.
ssllabs.com and certificate chain
  • ..and finally my certificate is “green”
ssllabs.com and overall rating

How to stop Azure Application Gateway

I often makes demo setups in my Azure subscription that has spending limits, so I have to gracefully shutdown all “hungry” resources to save some money such as VMs , Application Gateways and etc. To stop VMs, you can simply use the Azure Portal start/stop buttons, however, Azure Portal doesn’t allow you to stop application gateway. In such cases, Azure PowerShell helps.

Open the Azure Cloud Shell or local PowerShell with Az module installed and use the following:

# Get Azure Application Gateway
$appgw=Get-AzApplicationGateway -Name <appgw_name> -ResourceGroupName <rg_name>

# Stop the Azure Application Gateway
Stop-AzApplicationGateway -ApplicationGateway $appgw

# Start the Azure Application Gateway (optional)
Start-AzApplicationGateway -ApplicationGateway $appgw

Azure Portal updates the Application Gateway:

Azure Portal - Application Gateway Stopping

Verify the application gateway has stopped state. You will only billed for the public IP assigned to the stopped Application Gateway (saves money significantly):

Azure Portal - Stopped Azure Application Gateway

Start the application gateway (optional):

Azure Portal - Application Gateway Running State
%d bloggers like this: