Application Gateway: Incorrect certificate chain or order

SSL management is always a pain. We should check SSL certificates periodically or implement a solution that carries all management tasks for us (let’s encrypt and cert-manager, for instance). And if there is an issue with a certificate, it’s a always a subject of downtime, so we have to find a solution as quickly as possible. Furthermore, all websites should meet requirements to complete tests and get a “green” mark from mozilla observatory or ssl shopper checker, for example. In this post, we’ll discuss possible issues you may face during the ssl check: “incorrect certificate chain” or “incorrect order. contains anchor”

Please note that my setup includes azure application gateway and azure kubernetes service. The following steps are general, however, may require using different certificate formats or signature algorithms. Check your environment’s requirements beforehand.

  • In my case, it was a wrong intermediate certificate provided by GoDaddy. So, I went to the godaddy site, clicked on certificate and copied intermediate certificate to cer file intermediate.cer > Intermediate certificate
  • Make sure you have openssl on your computer and create a new pfx that contains a certificate, private key and intermediate certificate:
    openssl pkcs12 -export -out appgw-cert.pfx -inkey .\pk.key -in .\ssl.crt -certfile .\intermediate.cer
  • If you have an old pfx with a valid certificate and key, do these commands:
    openssl pkcs12 -in old.pfx -nocerts -nodes -out pk.key
    openssl pkcs12 -in old.pfx -clcerts -nokeys -out cert.crt
    openssl pkcs12 -export -out new.pfx -inkey .\pk.key -in .\cert.crt -certfile .\intermediate.cer
  • Type password for the pfx, and then update azure application gateway if needed:
    $appGW = Get-AzApplicationGateway -Name "ApplicationGatewayName"ResourceGroupName "ResourceGroupName"
    $password = ConvertTo-SecureString $passwordPlainString -AsPlainText -Force
    $cert = Set-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGW -Name "CertName" -CertificateFile "D:\certname.pfx" -Password $password
  • Also, export pfx certificate to your personal certificate store and make sure that the correct chain is used or use for already updated certificate. and certificate chain
  • ..and finally my certificate is “green” and overall rating

Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition.  

With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control?

Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment. 

Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time.

One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless).

If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed.

Make the cloud work for you – download your free copy today!

%d bloggers like this: