问题描述

APIM 无法正确连接到App Service，返回500错误：

{
    "statusCode": 500,
    "message": "Internal server error",
    "activityId": "2aef4474-4067-a333-8750-3889ebad3eeb"
}

单独访问App Service，是可以成功的。当通过APIM访问时候就出现了500错误

问题分析

根据博文“【Azure API 管理】为调用APIM的请求启用Trace -- 调试APIM Policy的利器” 中的内容，启用APIM Trace后，在 Backend 发现真实的错误消息为：

error message ：The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

这个错误信息指示，后端服务适用的证书问题。当APIM的后端服务所配置的证书为自签名证书，而不是根CA证书时，通常就会遇见此错误。 APIM服务部署在Windows操作系统所运行的PaaS VM托管上的Azure服务中。因此每个APIM实例都信任所有Windows 系统默认的根证书颁发机构。这个问题的解决办法为：

1：添加一个由受信任的CA机构颁发证书到App Service上。

2：禁止APIM与后端App Service之间的证书链验证。使用 New-AzApiManagementBackend 或 Set-AzApiManagementBackend 对APIM中所配置的后端服务 设置-SkipCertificateChainValidation  为True。

示例命令为：

$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService'
New-AzApiManagementBackend -Context  $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true

参考文档

Set-AzApiManagementBackend ：https://docs.microsoft.com/en-us/powershell/module/az.apimanagement/set-azapimanagementbackend?view=azps-7.3.0&viewFallbackFrom=azps-4.8.0

New-AzApiManagementBackend ：https://docs.microsoft.com/en-us/powershell/module/az.apimanagement/new-azapimanagementbackend?view=azps-7.3.0&viewFallbackFrom=azps-4.8.0

Troubleshooting 4xx and 5xx Errors with Azure APIM services ： https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-4xx-and-5xx-errors-with-azure-apim-services/ba-p/2115744

Scenario 7: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

 

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage column in the diagnostic logs:

“The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”

 

Cause:

This error is normally encountered when the backend has been configured to use a self-signed certificate instead of using a publicly trusted root CA certificate.

 

APIM services are hosted in the Azure infrastructure using PaaS VMs that run on Windows OS.

Hence, every APIM instance trusts the same default Root Certificate Authorities that all windows machines trust.

 

The list of trusted Root CAs can be downloaded using the Microsoft Trusted Root Certificate Program Participants list - https://docs.microsoft.com/en-us/security/trusted-root/participants-list

 

Resolution:

There are 2 possible solutions for resolving this issue:

• Add a valid trusted root CA certificate that resolves to a Microsoft Trusted Root Participant list.
• Disable certificate chain validation in order for APIM to communicate with the backend system. To configure this, you can use the New-AzApiManagementBackend (for new back end) or Set-AzApiManagementBackend (for existing back end) PowerShell cmdlets and set the -SkipCertificateChainValidation parameter to True.