Generate encrypted access to application hosted on Tomcat server from outside the virtual machine by configuring it through Azure Gateway using Self Signed Certificate

Poorvasha 5 Reputation points
2024-11-06T05:25:29.98+00:00

image

I generated a self-signed certificate for my application hosted on Tomcat within a virtual machine and uploaded it to Azure Application Gateway, but I'm encountering an error.

The Intermediate certificate is missing from the backend server chain. Please ensure that the certificate chain is complete and correctly ordered on the backend server.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,098 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Patapati 2,590 Reputation points Microsoft Vendor
    2024-11-06T16:14:14.5933333+00:00

    Hi Yadav, Poorvasha

    Greetings,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    To fix the missing intermediate certificate error in Azure Application Gateway for your Tomcat application, follow these general steps:

    The intermediate certificate was not found

    Message: The Intermediate certificate is missing from the certificate chain presented by the backend server. Ensure the certificate chain is complete and correctly ordered on the backend server.

    Cause: The intermediate certificate(s) isn't installed in the certificate chain on the backend server.

    Solution: An Intermediate certificate is used to sign the Leaf certificate and is thus needed to complete the chain. Check with your Certificate Authority (CA) for the necessary Intermediate certificate(s) and install them on your backend server. This chain must start with the Leaf Certificate, then the Intermediate certificate(s), and finally, the Root CA certificate. We recommend installing the complete chain on the backend server, including the Root CA certificate. For reference, look at the certificate chain example under Leaf must be topmost in chain.

    Note: A self-signed certificate which is NOT a Certificate Authority also results in the same error. This is because application gateway considers such self-signed certificate as "Leaf" certificate and looks for its signing Intermediate certificate. You can follow this article to correctly generate a self-signed certificate.

    These images show the difference between the self-signed certificates. Screenshot showing difference between self-signed certificates.

     self-signed-types

    The leaf or server certificate was not found

    Message: The Leaf certificate is missing from the certificate chain presented by the backend server. Ensure the chain is complete and correctly ordered on the backend server.

    Cause: The Leaf (also known as Domain or Server) certificate is missing from the certificate chain on the backend server.

    Solution: You can get the leaf certificate from your Certificate Authority (CA). Install this leaf certificate and all its signing certificates (Intermediate and Root CA certificates) on the backend server. This chain must start with the Leaf Certificate, then the Intermediate certificate(s), and finally, the Root CA certificate. We recommend installing the complete chain on the backend server, including the Root CA certificate. For reference, look at the certificate chain example under Leaf must be topmost in chain.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#:~:text=your%20application%20gateway.-,The,-intermediate%20certificate%20was


    Hope this clarifies.

    Thanks,

    Ganesh


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.