How to troubleshoot an Azure Functions SSL configuration

Question

I've followed the guides / processes I can find about adding / binding an SSL certificate to a custom domain for my Azure Function, but cannot get a secure connection to work. How can I go about finding (and fixing) the problem?

The app is in place, and the custom domain is added. I've generated and uploaded the private key. I can access the function (and it runs) when called via the custom domain, but the browser will insist on showing "this is not a private connection".

I'm running on a pay-as-you-go / consumption plan, but I've understood this to be fine?

Is there something that I need to be doing within the Function code itself to allow it to make use of the code?

Is there any other way that I can see / debug why this binding isn't letting me create the right type of secure connection? I'm not sure how to go about diagnosing this properly.

Answer 1

I'd start with browser tools to view the certificate it is loading. Modern browsers are pretty good about flagging what aspects of certs are off (mismatch of domain, expiration, etc.). Also make sure you do this calling the https endpoint as May be defaulting to http

Answer 2

I learned a lot while trying to fix this, so herewith, my road to solution.

tl;dr - problem was with the certificate and its loading into Azure...I think. There was an issue with the DNS, but after that, reloading and rebinding the certificate in the Azure Portal over and over again seemed to to the trick.

Diagnosing

@jeffhollan mentioned this in his response below, but the browser did give a hint as to why it was reporting a non-private connection. It did show some correct details about the certificate, it showed some other host name instead.

Suspicious about the SSL certificate itself (I'd gotten mine from namecheap), I used these online tools to investigate the certificate, both quite helpful to me. There are lots of others like them, I'm sure:

• https://www.ssllabs.com/ssltest/analyze.html
• https://decoder.link/sslchecker

These pointed to two strange things - the hostname wasn't right (it was pointing to some strange shortener service) and the certificate was not signed by a trusted certificate authority.

The DNS Issue

When I obtained the domain (from GoDaddy), I set up the CNAME record to point to the Azure Function URL. That worked.

BUT, I didn't remove / update the A record, which was still pointing to that weird shortener service URL (was there when I got the domain).

Since I am currently only interested in having this single Azure Function accessible, deleting the A record was sufficient for me. This is probably not the best solution, but if I knew what it was, I wouldn't have had this problem in the first place...

I reran the tools above, and at least the host name was pointing to something Azure related, but still not working properly.

The Self-Signed Certificate Issue

I spent a lot of time with Namecheap's online support - really great service and very helpful. The suggestions did boil down to re-issuing the certificate and going through the various steps to upload and bind the certificate in the Azure Portal.

I only re-issued the certificate once. But I re-uploaded and re-bound it in the Azure portal 6-10 times. On the final time, it just seemed to work.

I don't know what the problem was. The support team and the online tools all pointed to the server (Azure) not having accepted / loaded the certificate correctly. I'm almost certain that I wasn't doing anything different during my upload attempts, so perhaps persistence was just the key.

I struggle to understand how it could have been a propagation / timing thing. I was fiddling with this over the course of 3 days. The DNS was sorted on day 1, and there was a lot of time between certificate re-uploads. From what I understand, propagation DNS should take about 30 minutes, rarely more than 60, but certificates and SSL don't generally form part of that? I don't know.

Learnings

As @jeffhollan mentioned, the browser gives some good hints. I'm embarrassed that this didn't occur to me sooner, but yeah...

The online SSL tools are useful for not only diagnosing SSL issues, but also testing their strength. Good finds.

Getting a handle on whether the issue is with (a) the certificate, (b) the server or (c) the DNS is a worthwhile first step. Having each managed by different parties probably makes it a little harder...