Certificate Validation Error When Invoking Azure Cognitive Search API

Question

We have an ASP.Net MVC application that invokes the Azure Cognitive Search API to execute a search. The application is deployed in an Azure VM running IIS. When the ACS API is invoked we are getting the following error:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace ---

If I invoke the ACS API from an Azure developer VM in the same subnet via Postman it works fine.

Answer 1

Problem

It's possible you are running an old OS image or have Windows Update disabled on your VM which prevents the latest intermediate and root certificate authorities from updating.

Solution

Run Windows Update on your VM, or use the latest Azure VM OS image.

You can verify if you have the latest intermediate certificate authorities by checking the cert store on the VM. Specifically, you're looking for "Microsoft Azure TLS Issuing CA 01" which is the intermediate cert authority Azure Cognitive Search and most Azure services are using.

Manage User Certificates -> Intermediate Certification Authorities -> Certificates -> "Microsoft Azure TLS Issuing CA 01"