I have a Web App deployed in Azure that connects to Cosmos DB using Private Endpoint throws the following error
‘The SSL connection could not be established, see inner exception.’
The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
Cosmos DB
Private Endpoint
Private DNS Entry
Web App configuration
Stack Trace:
FBAuthDemoAPI.Controllers.FamilyController: at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.ConnectAsync(
2
Answers
I don't know what went wrong. Everything started working after I recreated everything.
I think the issue is with the CosmosDB Endpoint URL pointing to
https://family.privatelink.documents.azure.com/
, while it should be pointing to the ‘normal’ DNS name without theprivatelink
portion.If DNS is set up correctly for privatelink, then resolving the normal public endpoint would return a private IP address – see below example for a storage account endpoint:
Reference: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios
The certificate error is likely to be coming from the mismatch in the name between the endpoint that is configured on the WebApp (the privatelink DNS name) and the certificate that is reflecting the normal public endpoint name.
So, if
family.documents.azure.com
is your CosmosDB account name, then that name should be used for connecting to the database.In order to test if the name resolution works on your WebApp and test if the CosmosDB endpoint name resolves properly, you can use the built-in console.
So if if the URL below is the endpoint of your CosmosDB and DNS for Private Endpoints is set up properly, this command should return a private IP address:
nameresolver.exe family.documents.azure.com
Please also note that your WebApp needs to be properly integrated into the VNET using VNET Integration, otherwise this will not work (but I would expect a different error if that was not the case).