如何对Azure Functions SSL配置进行故障排除
[英]How to troubleshoot an Azure Functions SSL configuration
问题描述
I've followed the guides / processes I can find about adding / binding an SSL certificate to a custom domain for my Azure Function, but cannot get a secure connection to work. 
我已遵循有关为我的Azure功能添加SSL证书/将其绑定到自定义域的指南/过程,但是无法使安全连接正常工作。 How can I go about finding (and fixing) the problem? 我该如何找到(并解决)问题?
The app is in place, and the custom domain is added. 该应用程序就位,并且已添加自定义域。 I've generated and uploaded the private key. 我已经生成并上传了私钥。 I can access the function (and it runs) when called via the custom domain, but the browser will insist on showing "this is not a private connection". 当通过自定义域调用该函数时,我可以访问该函数(该函数将运行),但是浏览器将坚持显示“这不是私有连接”。
I'm running on a pay-as-you-go / consumption plan, but I've understood this to be fine? 我正在按使用量付费/消费计划运行,但是我知道这很好吗?
Is there something that I need to be doing within the Function code itself to allow it to make use of the code? 我需要在功能代码本身中做一些事情,以允许其使用代码吗?
Is there any other way that I can see / debug why this binding isn't letting me create the right type of secure connection? 我还有其他方法可以查看/调试此绑定为什么不允许我创建正确类型的安全连接吗? I'm not sure how to go about diagnosing this properly. 我不确定该如何正确诊断。
2 个解决方案
解决方案1
1 2019-09-14 21:06:48
I'd start with browser tools to view the certificate it is loading. 我将从浏览器工具开始查看它正在加载的证书。 Modern browsers are pretty good about flagging what aspects of certs are off (mismatch of domain, expiration, etc.). 现代浏览器很好地标记了证书的哪些方面已关闭(域,到期等不匹配)。 Also make sure you do this calling the https endpoint as May be defaulting to http 还要确保您执行此操作以调用https终结点,因为可能默认为http
解决方案2
0 已采纳 2019-09-16 09:25:53
I learned a lot while trying to fix this, so herewith, my road to solution. 在尝试解决此问题时,我学到了很多东西,因此,我找到了解决之道。
tl;dr - problem was with the certificate and its loading into Azure...I think. tl; dr-问题在于证书及其将其加载到Azure中...我认为。 There was an issue with the DNS, but after that, reloading and rebinding the certificate in the Azure Portal over and over again seemed to to the trick. DNS出现了问题,但是此后,一遍又一遍地重新加载和重新绑定Azure门户中的证书似乎很关键。
Diagnosing 诊断
@jeffhollan mentioned this in his response below, but the browser did give a hint as to why it was reporting a non-private connection. @jeffhollan在下面的回复中提到了这一点,但是浏览器确实提示了为什么它报告了非私有连接。 It did show some correct details about the certificate, it showed some other host name instead. 它确实显示了有关证书的一些正确详细信息,而是显示了其他一些主机名。
Suspicious about the SSL certificate itself (I'd gotten mine from namecheap), I used these online tools to investigate the certificate, both quite helpful to me. 对于SSL证书本身(我是从namecheap那里得到的)感到怀疑,我使用了这些在线工具来研究证书,这两者对我都非常有帮助。 There are lots of others like them, I'm sure: 我敢肯定,还有很多其他人:
- https://www.ssllabs.com/ssltest/analyze.html https://www.ssllabs.com/ssltest/analyze.html
- https://decoder.link/sslchecker https://decoder.link/sslchecker
These pointed to two strange things - the hostname wasn't right (it was pointing to some strange shortener service) and the certificate was not signed by a trusted certificate authority. 这指出了两个奇怪的问题-主机名不正确(它指向某种奇怪的缩短服务),并且证书不是由受信任的证书颁发机构签名的。
The DNS Issue DNS问题
When I obtained the domain (from GoDaddy), I set up the CNAME record to point to the Azure Function URL. 从GoDaddy获取域后,我将CNAME记录设置为指向Azure函数URL。 That worked. 那行得通。
BUT, I didn't remove / update the A record, which was still pointing to that weird shortener service URL (was there when I got the domain). 但是,我没有删除/更新A记录,该记录仍然指向那个奇怪的缩短服务URL(当我获得域名时就在那)。
Since I am currently only interested in having this single Azure Function accessible, deleting the A record was sufficient for me. 由于我目前仅对访问此单个Azure函数感兴趣,因此删除A记录对我来说就足够了。 This is probably not the best solution, but if I knew what it was, I wouldn't have had this problem in the first place... 这可能不是最好的解决方案,但是如果我知道它是什么,那么我根本就不会遇到这个问题。
I reran the tools above, and at least the host name was pointing to something Azure related, but still not working properly. 我重新运行了上面的工具,至少主机名指向的是与Azure相关的内容,但仍无法正常工作。
The Self-Signed Certificate Issue 自签名证书发行
I spent a lot of time with Namecheap's online support - really great service and very helpful. 我花了很多时间在Namecheap的在线支持上-真是很棒的服务,而且非常有帮助。 The suggestions did boil down to re-issuing the certificate and going through the various steps to upload and bind the certificate in the Azure Portal. 这些建议归根结底是重新颁发证书,并经历了在Azure门户中上载和绑定证书的各个步骤。
I only re-issued the certificate once. 我只重新签发了一次证书。 But I re-uploaded and re-bound it in the Azure portal 6-10 times. 但是我在Azure门户中重新上传并重新绑定了6-10次。 On the final time, it just seemed to work. 在最后一次,它似乎工作了。
I don't know what the problem was. 我不知道问题是什么。 The support team and the online tools all pointed to the server (Azure) not having accepted / loaded the certificate correctly. 支持团队和在线工具都指出服务器(Azure)没有正确接受/加载证书。 I'm almost certain that I wasn't doing anything different during my upload attempts, so perhaps persistence was just the key. 我几乎可以确定在上载尝试期间没有做任何不同的事情,因此持久性可能只是关键。
I struggle to understand how it could have been a propagation / timing thing. 我很难理解它可能是传播/定时的事情。 I was fiddling with this over the course of 3 days. 在3天的时间里,我一直在摆弄。 The DNS was sorted on day 1, and there was a lot of time between certificate re-uploads. DNS在第1天进行了排序,两次证书重新上传之间有很多时间。 From what I understand, propagation DNS should take about 30 minutes, rarely more than 60, but certificates and SSL don't generally form part of that? 据我了解,传播DNS大约需要30分钟,很少超过60分钟,但是证书和SSL通常不构成其中的一部分? I don't know. 我不知道。
Learnings 学习收获
As @jeffhollan mentioned, the browser gives some good hints. 正如@jeffhollan所提到的,浏览器提供了一些很好的提示。 I'm embarrassed that this didn't occur to me sooner, but yeah... 我很尴尬的是我没有早点想到这一点,但是是的...
The online SSL tools are useful for not only diagnosing SSL issues, but also testing their strength. 在线SSL工具不仅可用于诊断SSL问题,还可用于测试其强度。 Good finds. 好发现。
Getting a handle on whether the issue is with (a) the certificate, (b) the server or (c) the DNS is a worthwhile first step. 了解问题的根源在于(a)证书,(b)服务器还是(c)DNS是值得的第一步。 Having each managed by different parties probably makes it a little harder... 由不同方管理每个人可能会使工作变得更加困难...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.