未使用内部负载均衡器和应用服务环境将应用程序网关的后端服务器证书加入允许列表。Back-end server certificate is not whitelisted for an application gateway using an Internal Load Balancer with an App Service Environment

本文排查以下问题:在 Azure 中使用端到端 SSL 期间,在后端结合使用内部负载均衡器 (ILB) 和应用服务环境 (ASE) 创建应用程序网关时,证书未加入允许列表。This article troubleshoots the following issue: A certificate isn't whitelisted when you create an application gateway by using an Internal Load Balancer (ILB) together with an App Service Environment (ASE) at the back end when using end-to-end SSL in Azure.

症状Symptoms

在后端使用 ILB 和 ASE 创建应用程序网关时,后端服务器可能不正常。When you create an application gateway by using an ILB with an ASE at the back end, the back-end server may become unhealthy. 如果应用程序网关的身份验证证书与后端服务器上配置的证书不匹配,则会出现此问题。This problem occurs if the authentication certificate of the application gateway doesn't match the configured certificate on the back-end server. 以下面的场景为例:See the following scenario as an example:

应用程序网关配置:Application Gateway configuration:

  • 侦听器: 多站点Listener: Multi-site
  • 端口: 443Port: 443
  • 主机名: test.appgwtestase.comHostname: test.appgwtestase.com
  • SSL 证书: CN=test.appgwtestase.comSSL Certificate: CN=test.appgwtestase.com
  • 后端池: IP 地址或 FQDNBackend Pool: IP address or FQDN
  • IP 地址: 10.1.5.11IP Address:: 10.1.5.11
  • HTTP 设置: HTTPSHTTP Settings: HTTPS
  • 端口::443Port:: 443
  • 自定义探测: 主机名 - test.appgwtestase.comCustom Probe: Hostname - test.appgwtestase.com
  • 身份验证证书: test.appgwtestase.com 的 .cer 证书Authentication Certificate: .cer of test.appgwtestase.com
  • 后端运行状况: 运行不正常 - 未将应用程序网关的后端服务器证书加入允许列表。Backend Health: Unhealthy - Backend server certificate is not whitelisted with Application Gateway.

ASE 配置:ASE configuration:

  • ILB IP: 10.1.5.11ILB IP: 10.1.5.11
  • 域名: appgwtestase.comDomain name: appgwtestase.com
  • 应用服务: test.appgwtestase.comApp Service: test.appgwtestase.com
  • SSL 绑定: SNI SSL - CN=test.appgwtestase.comSSL Binding: SNI SSL - CN=test.appgwtestase.com

访问应用程序网关时,会收到以下错误消息,因为后端服务器不正常:When you access the application gateway, you receive the following error message because the back-end server is unhealthy:

502 - Web 服务器在充当网关或代理服务器时收到了无效响应。502 - Web server received an invalid response while acting as a gateway or proxy server.

解决方案Solution

如果不使用主机名来访问 HTTPS 网站,后端服务器将在默认网站上返回配置的证书,以防 SNI 被禁用。When you don't use a host name to access a HTTPS website, the back-end server will return the configured certificate on the default website, in case SNI is disabled. 对于 ILB ASE,默认证书来自 ILB 证书。For an ILB ASE, the default certificate comes from the ILB certificate. 如果没有为 ILB 配置证书,则证书来自 ASE 应用证书。If there are no configured certificates for the ILB, the certificate comes from the ASE App certificate.

如果使用完全限定的域名 (FQDN) 来访问 ILB,则后端服务器将返回 HTTP 设置中上传的正确证书。When you use a fully qualified domain name (FQDN) to access the ILB, the back-end server will return the correct certificate that's uploaded in the HTTP settings. 如果不是这种情况,请考虑以下选项:If that is not the case , consider the following options:

  • 使用应用程序网关的后端池中的 FQDN 指向 ILB 的 IP 地址。Use FQDN in the back-end pool of the application gateway to point to the IP address of the ILB. 仅当已配置专用 DNS 区域或自定义 DNS 时,此选项才可用。This option only works if you have a private DNS zone or a custom DNS configured. 否则,必须为公共 DNS 创建“A”记录。Otherwise, you have to create an "A" record for a public DNS.

  • 使用 ILB 中上传的证书或 HTTP 设置中的默认证书(ILB 证书)。Use the uploaded certificate on the ILB or the default certificate (ILB certificate) in the HTTP settings. 应用程序网关在访问用于探测的 ILB IP 时会获取该证书。The application gateway gets the certificate when it accesses the ILB's IP for the probe.

  • 在 ILB 和后端服务器上使用通配符证书,这样对于所有网站来说,证书都是通用的。Use a wildcard certificate on the ILB and the back-end server, so that for all the websites, the certificate is common. 但是,此解决方案仅在子域的情况下才可行,不适用于每个网站都要求不同的主机名这种情形。However, this solution is possible only in case of subdomains and not if each of the websites require different hostnames.

  • 如果使用的是 ILB 的 IP 地址,请清除应用程序网关的“用于应用服务”选项。Clear the Use for App service option for the application gateway in case you are using the IP address of the ILB.

若要降低开销,可在 HTTP 设置中上传 ILB 证书,使探测路径正常工作。To reduce overhead, you can upload the ILB certificate in the HTTP settings to make the probe path work. (此步骤仅适用于允许列表操作,(This step is just for whitelisting. 不可用于 SSL 通信。)可通过如下方式检索 ILB 证书:在浏览器中使用 ILB 的 HTTPS IP 地址访问 ILB,然后以 Base-64 编码的 CER 格式导出 SSL 证书,并在相应 HTTP 设置中上传该证书。It won't be used for SSL communication.) You can retrieve the ILB certificate by accessing the ILB with its IP address from your browser on HTTPS then exporting the SSL certificate in a Base-64 encoded CER format and uploading the certificate on the respective HTTP settings.

需要帮助?Need help? 联系支持人员Contact support

如果仍需要帮助,可 联系支持人员 来快速解决问题。If you still need help, contact support to get your issue resolved quickly.