HTTPS endpoint troubleshooting in Logic App standard
Published Jan 30 2023 07:36 AM 4,724 Views

The article will go through all the possible scenarios when the logic app is giving TLS error as below.

Mohammed_Barqawi_0-1677656299427.png

 

 

In the below flow chart, each step has a number which is elaborated farther in the down section

 

Mohammed_Barqawi_1-1677656829447.png

Digram Link 

 

 

 

 

1-You are getting the error " The SSL connection could not be established" in your logic app standard

 

2-You need to run the following OpenSSL command in your Kudo that will tell you if the endpoint will require client certificate

 

 

 

 

openssl s_client -showcerts  -connect client.badssl.com:443>site.pem

 

 

 

 

 

More information on Mutual SSL Authentication Link

 

3- Use any text editor to open the Pem file after you downloaded it from Kudu

 

4 and 5 - If the File has the below line

Site with client certificate

Site without client certificate

Mohammed_Barqawi_2-1675088146828.png

 

Mohammed_Barqawi_3-1675088146833.png

 

If the Pem file has the Client certificate, then that means you should obtain the correct client certificate from your partner.

usually, the certificate is created by the client and signed by the server

 

 5.1- you need to convert the PFX file that has the client certificate private key to base64

 

 

 

 

 

//Extracting the byte from the pfx file
$fileContentBytes = Get-Content 'C: \pfx.pfx' -Encoding Byte
//Converting to Base64String
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C: \pfx-encoded-bytes.txt'

 

 

 

 

 

 

5.2- Inside the http action chose authentication type = client certificate  and paste the base64 text for the PFX file

Mohammed_Barqawi_4-1675088146836.png

 

6- Export the site's public certificates using powershell

From Kudu powershell menu or any VM that can access the site  write the below command that will loop through all the site certificate chains and download them into a files

 

 

 

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$webRequest = [Net.WebRequest]::Create("YOUR SSL Site")
$webRequest.GetResponse()
$cert = $webRequest.ServicePoint.Certificate
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.build($cert)
$chain.ChainElements.Certificate | ForEach-Object { set-content -value $($_.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)) -encoding byte -path "$pwd\$($_.Thumbprint).cer" }
$WEBSITE_LOAD_ROOT_CERTIFICATES=$chain.ChainElements.Certificate|select Thumbprint 


Write-Host $WEBSITE_LOAD_ROOT_CERTIFICATES

 

 

 

 

Mohammed_Barqawi_5-1675088146847.png

 

 

Optional note

No need to import the site certificate

Mohammed_Barqawi_7-1675088146857.png

 

8- to complete the import process we need to inform the Logic app site to pick the imported certificate and load them to the site and this is can be done by modifying the configuration value WEBSITE_LOAD_ROOT_CERTIFICATES to contain all the certificates sha-1 fingerprint  

 

9- test if the Logic app was able to access the http endpoint

 

10- Still getting the same error? then you need to collect the network trace by

We can enable the trace by the below REST API:

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/start-network-trace

Later reproduce the problem.

Again, we can stop the traces by the below REST API.

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/stop-network-trace

then download the network trace from Kudu under the folder log

11- Analyze the network file using Wireshark

Mohammed_Barqawi_8-1675088146861.png

After identifying the server IP and the logic app IP we need to search for the Alert and see who is the one who rejects the handshaking

 

12- If it is server and if the client certificate is required then make sure that logic app sending the client certificate by searching in Wireshark for

(tls.handshake.certificates_length )

Mohammed_Barqawi_0-1675090010238.png

There could be an issue in the client certificate due to the issue Client certificate not included by Client certificate not included by HttpClientHandler in .net core · Issue #26531 · dotnet/runtime (g...  and to solve that you need to have a new client certificate

 

13- If it is a client then verify that  you have imported the certificate correctly

 

Co-Authors
Version history
Last update:
‎Mar 01 2023 12:01 AM
Updated by: