APIM Consumption Tier, Custom Domain, Cloudflare & third level subdomain
I am working with Azure API Management Service, in the Consumption Tier, and I registered a "Custom domain" through a free account at Cloudflare, in cloudflare register the domain and configure full encryption.
Also add the domain as DNS to my API Management, as example CNAME "third.two.example.com".
Once this is done, create a source server certificate for the domain that I will use, it is a third level domain example "third.two.example.com" and then download the certificate and key (PEM and KEY).
Once this is done, because Azure when adding the certificate in API Management threw me the error "The content type needs to be application / x-pkcs12." I had to transform the certificate from PEM to PKCS12, I did it with the following script in OpenSSL on my computer.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
(I did not add any key).
Then I upload the certificate in an Azure Key Vault as a certificate which does not give me any problem.
Finally I add the domain "third.two.example.com" to my Azure API Management referencing as custom domains in API Management, referencing the certificate uploaded to Key Vault, the process runs correctly and everything is fine.
However, when entering this domain, the browser shows me the following error:
And when trying to call the API through Postman with SSL active:
I also get the following error:
You could tell me if I'm doing something wrong or I have everything wrongly configured, I really don't have much knowledge in digital certificates so I don't know if I should do something additional or the configuration I'm using is not correct, thanks in advance for your comments.
The certificate information through the browser is as follows:
in advance thanks for your help !, sorry for the blurr but some data is private and I can't show it.
UPDATE
I found on this site that i have to change the cloud to orange (Proxied) so i did it and it doesn't work.
Finally i tested the same steps with the domain "third-two.example.com" and it works with 0 problems (The only thing to keep in mind is that the proxy must be activated after adding the domain in APIM), is there something that i need to do or update to some tier on CloudFlare for make a multiple level ssl certificate?, on the creation page, it says that is allowed here:
UPDATE - 2021-09-02
Ok, for everyone that still having this issue, there's no way to do that without an edge certificate (The plan cost 10 USD).
Quote for the activation:
Create a certificate in the dashboard To create a new advanced certificate in the dashboard:
- Log into your Cloudflare account and select a domain.
- Select SSL/TLS > Edge Certificates.
- Select Order Advanced Certificate.
- If Cloudflare does not have your billing information, you will need to enter that information.
- Enter the following information:
- Certificate Authority
- Certificate Hostnames
- Validation method
- Certificate Validity Period
- Select Save.
With all the steps done, you can now order an edge certificate that contains, all the hosts needed, for my example: main domain, the wildcard domain, and the three level subdomain:
- example.com
- *.example.com
- third.two.example.com
You can add a total of 50 hostnames, so if you need additional hostnames you can add it here, the steps are the following:
- Log into your Cloudflare account and select a domain.
- Select SSL/TLS > Edge Certificates.
- Select Order Advanced Certificate.
- In the certificate hostnames, fill all the domains from before.
With this steps and all the steps from before done, your API Management will recognize the domain as secured and also the SSL Certificate as follows:
Finally, i know this is a very specific topic using Azure Functions on Azure API Management, with a custom domain in Cloudflare, but maybe it can be usefull for someone, but it's not free, its 10USD per month, so if you want to use third level domain, but i think this is the cheapest and secure way to do it.
I will close this question.
I edited the question to add the answer from the CloudFlare forum, and it works so i think i will close this question.
- Configuring https on lighttpd
- Kestrel ignores certificate configuration in code
- How to set custom domain in Nexus Repo without port in URL
- Unable to find valid certification path to requested target - error even after cert imported
- Certificate Rebind in IIS 10 using powershell
- How to import a zscaler certificate into Git
- ERR_CERT_REVOKED only on Smartphones (connection is not secure)
- curl: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate
- Puppet after 5 years, when certificates expire?
- Python - requests.exceptions.SSLError - dh key too small
- SSL error unsafe legacy renegotiation disabled
- "SSL certificate verify failed" using pip to install packages
- Spring 5 WebClient using ssl
- Gitlab doesn't loads new ssl cert and key
- Jetty Invalid SNI issue even when certificate is correct
- SSL on JBOSS AS 7
- "aborting due to insecure configuration" while configuring TLS on Rust rocket server
- How to wrap net.Conn.Read() in Golang
- " An operation was attempted on something that is not a socket" when I try to add SSL authentication
- Error Importing SSL certificate : Not an X.509 Certificate
- SSL verification error at depth 0: unable to get local issuer certificate (20)
- Keycloak SSL setup using docker image
- Make OpenSSL accept expired certificates
- .NET Framework equivalent of IApplicationBuilder.UseForwardedHeaders()
- Setting up SSL on a local xampp/apache server
- Problem when installing Python from source, SSL package missing even though openssl installed
- NGINX to reverse proxy websockets AND enable SSL (wss://)?
- Is it safe sharing Self-signed certificate to other persons?
- curl - Is data encrypted when using the --insecure option?
- SSL certificate installation on Wildfly server