Cannot verify server's certificate when deploying to Azure Web App

Magnus_Odell · 24 November 2016 14:37

Hi
I am working on a project where we try to migrate a web api to Azure Native, i.e. no VMs only Web Apps.
To deploy to the Web Apps I use the step ‘Deploy an Azure Web App’.
All the web apps where initially set up on an external Application Service Environment (ASE) i Azure. Everything was accessible from the internet.
In this setup the Octopus Deploy process worked fine. Even from my own developer machine.

The project then decided to set everything up in an internal ASE, i.e. nothing is accessible from the internet directly. For Octopus to be able to access the Web Apps I installed it on a build server inside the same Azure vNet.

When I run the deploy it complains about: Exception: Connected to the remote computer (“web-tst-wap-proj.scm.internal-net”) using the specified process (“Web Management Service”), but could not verify the server’s certificate. If you trust the server, connect again and allow untrusted certificates. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.

I cannot see how I set Octopus to allow untrusted certificates. Is there any other way around this issue? Installing the certificate in Octopus?

I use Octopus 3.4.12 by the way. The Deployment log is attached.

ServerTasks-438.log.stripped.txt (22 KB)

Shane_Gill · 28 November 2016 03:58

Hi Magnus,

Thanks for getting in touch.

I can not find a way in Octopus to allow untrusted certificates when deploying an Azure Web App. Given how locked down your environment is, I think the preferred method would be to add the certificates of each Web App as a trusted certificate in the certificate store of your Octopus server. I think this will allow you to deploy to those servers.

Here is an example of adding a certificate: https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/

I hope this helps, please let me know if you run into any issues.

Cheers,
Shane

Magnus_Odell · 30 November 2016 07:10

Hi!
Thanks for answering.
The key to the solution was the certificates. When we moved from the external ASE to the internal ASE the domain changed from *.azurewebsites.net to an internal domain. We missed that this had to be updated both in each Web App and on the Octopus server. I also added an SSL binding to the certificate on the Web App. Don’t know if that was part of the solution. But I mention it if someone else struggles with the same problem.

Thanks for a great product!

/Magnus

Shane_Gill · 30 November 2016 22:42

Thanks for sharing your solution!