Cannot get SSL to work on Azure instance

Question

I've been tearing my hear out trying to figure out why SSL works in one of my Azure projects but not in another.

When I navigate to my site, say https://foo.com, I can't even connect to the site. Browsers can't connect at all and curl says "couldn't connect to host". However, if I go to my cloudapp.net URL (e.g. https://foo.cloudapp.net), it can connect but browsers will complain and say my cert is for *.foo.com. Note: I am able to connect to http://foo.com without any trouble.

Here's my code with certain values obfuscated.

ServiceDefinition.csdef:

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
<WebRole name="www" vmsize="Small">
<Sites>
  <Site name="Web">
    <VirtualApplication name="r" physicalDirectory="../Foo/Bar" />
    <Bindings>
      <Binding name="Endpoint1" endpointName="Endpoint1" />
      <Binding name="Endpoint2" endpointName="Endpoint2" />
    </Bindings>
  </Site>
</Sites>
<Endpoints>
  <InputEndpoint name="Endpoint1" protocol="http" port="80" />
  <InputEndpoint name="Endpoint2" protocol="https" port="443" certificate="STAR.foo.com" />
</Endpoints>
<Imports>
  <Import moduleName="Diagnostics" />
</Imports>
    <Certificates>
      <Certificate name="STAR.foo.com" storeLocation="LocalMachine" storeName="My" />
    </Certificates>
</WebRole>
</ServiceDefinition>

my cert is uploaded, the thumbprint matches (in this example it's also "1234567890")

ServiceConfiguration.csfg:

<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="myApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="1" osVersion="*">
<Role name="www">
<Instances count="2" />
<ConfigurationSettings>
  <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
<Certificates>
  <Certificate name="STAR.foo.com" thumbprint="1234567890" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>

Azure Console:

I have verified that:

My cert is uploaded

• It's SHA1
• It's thumbprint matches what I've specified in ServiceConfiguration.cscfg (in this example it's "1234567890")
• The certs for the Certificate Authorities are also present (for me it's "PositiveSSL CA" and "AddTrust External CA root")
• For the Azure instance, it confirms there are 2 endpoints (port 80 and port 443)

Why would I not be able to connect at all via https://foo.com, but my https://foo.cloudapp.net will load (although triggering a browser warning)? This seem to indicate my configuration is correct but something else is off... ideas?

Answer 1

I think you may be looking in the wrong place for your problem!

How have you mapped foo.com to your site's address?

Note that Azure instances are given dynamic IP addresses - what address your site may be on NOW may not be what its on tomorrow. The recommendation for Azure is to add a "www" CNAME DNS entry in your domain records that points at "foo.cloudapp.net".

This way, when someone browses to www.foo.com, the DNS server will (invisibly) say "hey, actually, that site is as foo.cloudapp.net. The browser will then ask for the IP address of foo.cloudapp.net. This domain is managed by Microsoft who will return the current IP address for your site.

If you want foo.com to still get you to www.foo.com, you'll have to setup DNS redirection so that whenever someone types foo.com into their browser, they're redirected to www.foo.com. This will then cuase the browser to resolve foo.cloudapp.net and then the HTTP request will be sent to your site. Some domain hosters charge for this (typically a nominal fee), some offer it as a free service.

HTH.