Azure Application Gateway: Chain Issues Incorrect order, Contains anchor

Azure Application Gateway: Chain Issues Incorrect order, Contains anchor

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 – TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. To configure the application gateway public endpoint and offer the SSL server certificate you need to supply a PFX for the configured domains. Application gateway with tier WAF V2 have an issue that it does not automatically correct the order of SSL certificate chain. If a website is scanned with SSL Labs, it gives an error that “incorrect order, contains anchor”. All you need to do is to recreate the PFX and insert the intermediate certificate in it using openssl.

https://user-images.githubusercontent.com/12409333/114930014-d12ff080-9e34-11eb-9523-16cc0a863096.png

Solution!

Install openssl on any windows machine or use Linux box to recreate the PFX to be uploaded on Azure application gateway for listeners. the commands are given as under: they are pretty straight openssl commands to extract the key and other things from current PFX which are required to recreate it with intermediate certificate.

openssl pkcs12 -in <domainname>.pfx -clcerts -nokeys -out <domainname>.crt
openssl pkcs12 -in <domainname>.pfx -nocerts -nodes -out <domainname>.key
openssl pkcs12 -export -out <domainname>_new.pfx -inkey <domainname>.key -in <domainname>.crt -certfile intermediate.cer

<domainname>.crt and <domainname>.key will be extracted from old PFX, intermediate certificate will be downloaded from CA website. Last command will be used to create a new PFX with intermediate certificate in it.

Replace <domainname> with your desired name and after the completion of the process you will get “<domainname>_new.pfx” to be uploaded on the Azure application gateway for listener configuration. once you are done with the configuration, scan your website using SSL LABS and hopefully you will get A+ rating if this was the only issue, like I got for my website and the error incorrect order, anchor issue was resolved.

Azure application gatewayNote: For more information about application gateway go to Microsoft website.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.