Azure Functions using App Service Plan: The remote certificate is invalid according to the validation procedure

Question

I have problem connecting remote FTP server using certificates on Azure Functions using App Service Plan, got the exception below:

The remote certificate is invalid according to the validation procedure. System.Exception System.Security.Authentication.AuthenticationException

Below is my setup on Azure Functions

1.Two public certificates have been uploaded to Azure Functions like below by following the link below:

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load Please note the location above, App Service Plan is used, so should it be LocalMachine\My?

This setting places the specified certificates in the Current User\My store for most pricing tiers, but in the Isolated tier (i.e. app runs in an App Service Environment), it places the certificates in the Local Machine\My store.

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load

2.The code below is also used to load the certificate on Azure Functions.

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load#load-the-certificate-in-code

X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
                            X509FindType.FindByThumbprint,
                            // Replace below with your certificate's thumbprint
                            "E661583E8FABEF4C0BEF694CBC41C28FB81CD870",
                            false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
    X509Certificate2 cert = certCollection[0];
    // Use certificate
    Console.WriteLine(cert.FriendlyName);
}
certStore.Close();

Below is my setup locally

It has no problem connecting to remote FTP server on my local machine using the code below, in combination of the two certificate setup on my local machine below

 private X509Certificate2 GetX509Certificate2FromFile()
    {
        return new X509Certificate2(Path.Combine("myCert.cer"));
    }

Root CA certificate is installed under Trusted Root Certificate Authorities folder

Issuing CA certificate installed under Intermediate Certificated Authorities folder

Update Detailed exception can be found https://jsoneditoronline.org/?id=d1db13e9ee7143cf98653b807cfad75b

Answer 1

The error appears to be that an issue with FTPs server cert is not trusted by client. I believe you may be talking about an App Service Environment (Isolated). If you are using the version of ILB ASE that supports your own custom domain they need to load the cert using WEBSITE_LOAD_ROOT_CERTIFICATES if the cert being used isn’t from a trusted CA.

https://learn.microsoft.com/en-us/azure/app-service/environment/certificates#private-client-certificate