azure website ssl with SAN identifies as *.azurewebsites.net

StackOverflow https://stackoverflow.com/questions/19993847

Question

I am trying to move a website into Azure (Azure Website). I have everything moved, except the ssl isn't working. The error that comes up says

You attempted to reach [subdomain].[domain].com, but instead you actually reached a server identifying itself as *.azurewebsites.net ...

I think it may have something to do with my certificate. The cert is a UCC cert (multiple SAN) through GoDaddy. I did not rekey the cert when I moved the site from the old server to the Azure Website. The old server was managed using Parallels. Here is what I did to move the cert:

I logged into Parallels on the old server. I opened the SSL screen, where I could see the 4 parts of the cert (csr, private key, certificate, CA certificate). I copied the text for each of those (including the ---Begin Certificate--- and ---End Certificate--- lines. EDIT: the private key began with ---Begin RSA Private Key--- and ended with ---End RSA Private key), and I pasted the data to create 4 .txt files. I then renamed the txt files so that I had 4 files named CAcertificate.cer, certificate.cer, privateKey.pem, and cert.cer. They were all saved in the c:\ directory (root).

I then pulled up OpenSSL and ran the following command:

pkcs12 -export -in c:\certificate.cer -inkey c:\privateKey.pem -out c:\certificate.pfx -certfile c:\CAcertificate.cer

I entered a password twice, and out popped a certificate.pfx file.

I uploaded that file to my Azure Website. The UCC Cert applies to 4 subdomains. I have my Azure Website set up with only one of those subdomains as a domain name. After uploading the file, I went to SSL Binding, and chose that subdomain, matched it with the cert I just uploaded, and chose "SNI SSL." I saved it, and all looked good.

Unfortunately, when I browse to the subdomain, I get the error I listed at the beginning.

I have a CName set up to forward from that subdomain to the Azure Website. I also have an A record set up to point from that subdomain to the IP Address of the Azure Website. The site is pulling up as I would expect, except for the ssl certificate error.

Did I generate the .pfx file incorrectly? Is there something I need to change in Azure or my domain registrar? I noticed that I could download a .pem file from the parallels panel. It contained all 4 parts of the cert in one file. I didn't know what I could do with that.

Was it helpful?

Solution

A missing root or intermediate certification authority can cause this behavior as documented in this article (written by a Microsoft MVP).

This answer shows how to export the full certificate chain including the private key using OpenSSL for Windows.

If the certificate is already installed in your local Windows machine you can follow this guide and be sure to select

  • Yes, export the private key and
  • Include all certificates in the certification path if possible.

This will create a .pfx file containing your certificate, its private key as well as all intermediate and root CAs.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top