【Azure API 管理】APIM不能連線到 App Service (APIM cannot connect to APP service)
問題描述
APIM 無法正確連線到App Service,返回500錯誤:
{ "statusCode": 500, "message": "Internal server error", "activityId": "2aef4474-4067-a333-8750-3889ebad3eeb" }
單獨訪問App Service,是可以成功的。當通過APIM訪問時候就出現了500錯誤
問題分析
根據博文“【Azure API 管理】為呼叫APIM的請求啟用Trace -- 除錯APIM Policy的利器” 中的內容,啟用APIM Trace後,在 Backend 發現真實的錯誤訊息為:
error message :The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
這個錯誤資訊指示,後端服務適用的證書問題。當APIM的後端服務所配置的證書為自簽名證書,而不是跟CA證書時,通常就會遇見次錯誤。 APIM服務部署在Windows作業系統所執行的PaaS VM託管上的Azure服務中。因此每個APIM例項都信任所有Windows 系統預設的根證書頒發機構。這個問題的解決辦法為:
1:新增一個由受信任的CA機構頒發證書到App Service上。
2:禁止APIM與後端App Service之間的證書鏈驗證。使用New-AzApiManagementBackend 或Set-AzApiManagementBackend 對APIM中所配置的後端服務 設定-SkipCertificateChainValidation 為True。
示例命令為:
$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService' New-AzApiManagementBackend -Context $context-Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true
參考文件
Set-AzApiManagementBackend :https://docs.microsoft.com/en-us/powershell/module/az.apimanagement/set-azapimanagementbackend?view=azps-7.3.0&viewFallbackFrom=azps-4.8.0
New-AzApiManagementBackend :https://docs.microsoft.com/en-us/powershell/module/az.apimanagement/new-azapimanagementbackend?view=azps-7.3.0&viewFallbackFrom=azps-4.8.0
Troubleshooting 4xx and 5xx Errors with Azure APIM services :https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-4xx-and-5xx-errors-with-azure-apim-services/ba-p/2115744
Scenario 7:The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
Symptom:
API requests fail with Backend Connection Failure with the below error message highlighted under theerrorMessagecolumn in the diagnostic logs:
“The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”
Cause:
This error is normally encountered when the backend has been configured to use a self-signed certificate instead of using a publicly trusted root CA certificate.
APIM services are hosted in the Azure infrastructure using PaaS VMs that run on Windows OS.
Hence, every APIM instance trusts the same default Root Certificate Authorities that all windows machines trust.
The list of trusted Root CAs can be downloaded using the Microsoft Trusted Root Certificate Program Participants list -https://docs.microsoft.com/en-us/security/trusted-root/participants-list
Resolution:
There are 2 possible solutions for resolving this issue:
- Add a valid trusted root CA certificate that resolves to a Microsoft Trusted Root Participant list.
- Disable certificate chain validation in order for APIM to communicate with the backend system. To configure this, you can use theNew-AzApiManagementBackend(for new back end) orSet-AzApiManagementBackend(for existing back end) PowerShell cmdlets and set the-SkipCertificateChainValidationparameter toTrue.
當在複雜的環境中面臨問題,格物之道需:濁而靜之徐清,安以動之徐生。 雲中,恰是如此!