CODEWITHSUNDEEP
node.jsmacosssl-certificateazure-functionsazure-cosmosdb
JM_MA
JM_MA

Reputation: 23

Cosmos DB Emulator on VM and Azure Function App on Host MacOS not passing SSL validation

Problem: Function App on Mac errors on SSL validation when hosting the Cosmos DB emulator on a VM Windows machine hosted on the mac. After multiple attempts and research, I haven't been able to make it work when developing an azure function app...

Azure Claims: A workaround for Azure to not having a native Cosmos DB emulator for Mac OS, is that the emulator could be hosted on a windows VM using a hypervisor like Parallels while the App is being written in the Mac operating system.

What is my the Setup? 1 machine 2 operating systems running independently.

On the Mac (host):

  1. Visual Studio Code running Azure Functions (2.0) for Node JS.
  2. Azure Function Core Tools (v. 0.20.1)
  3. Azure Cosmos DB extension (v. 0.11.0)

On the VM (Guest machine on Mac):

The Mac host is able to communicate to the guest VM and viceversa without a problem. The VM has its own IP address.

What has been done following documentation from Azure:

A self-signed cert was automatically generated by the emulator under the VM unique IP address. The cert was properly exported, and imported into Mac's KeyChain access. While the Cosmos DB Emulator's explorer can be rendered in Safari (after accepting the cert in the browser), AND the cosmos DB extension on MAC visual studio code can connect (create a DB, and a container, insert records manually, etc) to the emulator, the function app itself rejects the connection when executing the function app saying that the SSL cert didn't pass validation.

The connection string for Cosmos was changed on the local.setting.json on the function app to (IP address from the VM with default AccountKey): 

AccountEndpoint=https://10.37.129.3:8081/;AccountKey=C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==

Cosmos Emulator was ran using the following commands on CMD:

Microsoft.Azure.Cosmos.Emulator.exe /AllowNetworkAccess /Key=C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==

The windows machine has its Firewall turned off.

The function App uses CosmosDB Bindings. It is NOT using the full fledged Cosmos DB SDK or Cosmos DB REST API.

However, I do not know how to by-pass the SSL validation from within the the function App.

It seems that any solution pertaining to this issue (or similar) seems to be for running the full fledged Cosmos DB SDK or Cosmos DB REST API where you need to provide an HttpClientHandler to the DocumentClient Constructor which has its own implementation for ServerCertificateCustomValidationCallBack. This goes for C#. For node, adding this process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; before calling https.request(). Similarly for Node Cosmos DB SDK, there is a flag provided called DisableSSLVerification that when set to false it should by-pass the SSL verification...But again, on a function app, we do not have an opportunity to do this. Azure in the background is providing the server running the Function App code and also calling the DocumentClient for you... We do not instantiate the Cosmos DB instance OR set up the Node.js server to run our code...

Other solutions tried: Adjusted Visual Studio Code turned off Proxy Strict SSL.

Have someone been able to solve this scenario?... It seems as my only choice it to refactor the Function App code, and Ignore the easy Cosmos DB function app bindings... which seems wrong from Microsoft and contradictory as bindings is the easiest way to communicate with Cosmos DB.

Thanks in advance, -JM

Upvotes: 2

Views: 1065

Answers (1)

Matias Quaranta
Matias Quaranta

Reputation: 15613

The Cosmos DB binding hides the possibility of you changing the SSL certification configuration, so you cannot change that. It is intended to simplify the most common scenarios, but the scenario you are trying to achieve requires some advanced changes, this is not simply a Function running in the cloud trying to connect to a Cosmos DB instance. In a normal scenario (Function running on the Cloud) you'd never want to disable SSL.

You can opt to work with your own customized SDK client, just need to make sure you maintain the instance as a global/static: https://learn.microsoft.com/azure/azure-functions/manage-connections#cosmosclient-code-example-javascript

Upvotes: 1

Related Questions