Invalid Request Feel Free to Try Again With a Valid Token

Remove From My Forums

System.Net.Http.HttpRequestException: SSL

Question
I have a function app in which I get this error :

Information technology works ok sometimes and doesn't at other times. With the same query parameters and no changes.

System.Net.Http.HttpRequestException: The SSL connection could not be established, encounter inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid co-ordinate to the validation process.
- Edited by raskh Monday, May 27, 2019 5:26 PM

All replies

From the description in that location is lawmaking in the Role app that makes a HTTPS request to a backend service that is using a certificate that is simply trusted in your network. Since the web app/Part app server doesn't accept the trusted root certificate, information technology is declining with a "non trusted" error. If I am misunderstanding the configuration please let me know.

All the same, the below information is based on that specific supposition.

Unfortunately, it is not possible to import a cert to the trusted root store in Azure Web Apps/Function app due to security concerns. The only option to workaround this error would be to handle the validation in app code similar to what is described here:https://stackoverflow.com/a/34204814. We have used these steps successfully in the by, as an instance:
1. Create a new certificate to obtain a PFX file to upload.
2. Upload the PFX to app service in the SSL Certificates surface area
3. Follow steps 1 and 2 from this link to load the certificate:https://azure.microsoft.com/en-the states/blog/using-certificates-in-azure-websites-applications/
4. Add together a combination of the code in pace 3 from the above link and the code here:Azure Web App calling on-prem service with Cocky-Signed SSL Cert. Essentially, become the certificate from the cert store, but from within the ServerCertificateValidationCallback function and then return true if the certs match for validation. The code looks something like this:
```
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) =>             {                 if (sslPolicyErrors == SslPolicyErrors.None)                 {                     return true;                 }                   var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);                 certStore.Open(OpenFlags.ReadOnly);                 var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "THUMBPRINT", imitation);                   if (certCollection.Count > 0)                 {                     var validCertificate = certCollection[0];                     var passedCert = new X509Certificate2(certificate);                     certStore.Close();                       return validCertificate.Equals(passedCert);                 }                 certStore.Close();                 return false;             };
```
- Edited by DixitArora-MSFT Microsoft employee Tuesday, May 28, 2019 4:24 AM
- Proposed as answer by KetanChawda-MSFT Microsoft employee Tuesday, May 28, 2019 4:25 AM

private static async Job<JsonResult> GetNewToken            (string tenantID, string clientId, string clientSecret, cord resource , ILogger log)         {                          FormUrlEncodedContent postContent = new FormUrlEncodedContent(new Dictionary<string, string>             {                 { "grant_type", "client_credentials" },                 { "client_id", clientId },                 { "client_secret", clientSecret },                 { "resources", resource }             });              postContent.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-grade-urlencoded");             log.LogInformation("GetNewToken try");              endeavour             {                 HttpResponseMessage response = await httpClient.PostAsync($"https://login.microsoftonline.com/{tenantID}/oauth2/token", postContent);                 string responseContent = expect response.Content.ReadAsStringAsync();                 log.LogInformation("GotNewToken");                         JsonADToken jsonObject = JsonConvert.DeserializeObject<JsonADToken>(responseContent);                         JsonResult jsonResult = new JsonResult(jsonObject);                         jsonResult.StatusCode = 240;                         return jsonResult;               }             catch(Exception e )             {                 log.LogInformation(e.ToString());                 throw e;             }                        }

This is the code that is causing the fault, I am using it tor retrieve Azure Ad Admission Token it works ok sometimes and doesn't work most of the times.

- Edited by raskh Tuesday, May 28, 2019 8:15 AM
This is weird. Can you delete and recreate the function and encounter if information technology helps.

If even so the aforementioned behavior , share your role app name privately.
I created a new part with the same lawmaking.

I also tried publishing the function app to a new contour

The same error persists.

The functions below both use Http client to remember Azure AD Access Token:

1. GameAzureConsume - This only works on outset invocation

2. GameAzureToken - This always works

*************

App details:

2019-05-29T07:22:56.975

Id=c6cdf75b-5b9d-41ce-93d5-f5676d6b8489

Region :W India

Hi Raskh,

I wait at the logs and beneath are the findings.

Logs for 29 May 2019 :

No issue found for GameAzureConsume role . Vi successful execution without any fail.

Logs for 27 May 2019 :

Institute Zip reference exception inGameAzureConsume part. Below are the logs

Full Exception :  System.NullReferenceException : Object reference not set to an example of an object.    at async GameAzureConsume.Run(HttpRequest req,ILogger log) at GameAzureConsume.cs : 349    at Organisation.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`ii.InvokeAsync[TReflected,TReturnValue](Object example,Object[] arguments) at C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs : 52    at Organization.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs : 584    at Organisation.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx case,ParameterHelper parameterHelper,ILogger logger,CancellationTokenSource functionCancellationTokenSource) at C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs : 531    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) at C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs : 467    at Arrangement.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()    at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(??) at C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs : 277

Please allow me know if anything else is required.

Edited past DixitArora-MSFT Microsoft employee Thursday, May 30, 2019 9:20 AM

Can you please delete your terminal mail, it has personal info .
- Edited by raskh Thursday, May 30, 2019 seven:36 AM
The null ref exception on 27th May is an unrelated error in the lawmaking that was solved

the reason the role shows "Success" on 29th May is a try catch cake

the exception that this thread is about must be in that location in these succeeded invocations logs but if not here it is :

0T07:31:19.535 [Data] Executing 'GameAzureConsume' (Reason='This office was programmatically called via the host APIs.', Id=a13b0155-03a4-4031-a65c-e07d00166c23)
2019-05-30T07:31:xix.536 [Information] C# HTTP trigger office processed a asking.
2019-05-30T07:31:19.536 [Information] QueryParameters assigned
2019-05-30T07:31:xix.536 [Data] GetNewToken try
2019-05-30T07:31:19.695 [Information] System.Cyberspace.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Hallmark.AuthenticationException: The remote document is invalid co-ordinate to the validation procedure.
at Organisation.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at Organization.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Internet.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at Organisation.Internet.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Cyberspace.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken bulletin, AsyncProtocolRequest asyncRequest)
at System.Internet.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at Arrangement.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at Arrangement.Cyberspace.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at Arrangement.Cyberspace.Security.SslState.ThrowIfExceptional()
at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Cyberspace.Security.SslState.EndProcessAuthentication(IAsyncResult effect)
at Organisation.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at Arrangement.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`ane.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`i promise, Boolean requiresSynchronization)
--- Stop of stack trace from previous location where exception was thrown ---
at System.Cyberspace.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- Finish of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at Organization.Threading.Tasks.ValueTask`one.get_Result()
at Organization.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Threading.Tasks.ValueTask`1.get_Result()
at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
at System.Threading.Tasks.ValueTask`1.get_Result()
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Arrangement.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at ....GameAzureConsume.GetNewToken(String tenantID, String clientId, String clientSecret, String resource, ILogger log) in .........\GameAzureConsume.cs:line 146
2019-05-30T07:31:xix.696 [Data] RUN: Become new token exception
2019-05-30T07:31:19.697 [Information] Executed 'GameAzureConsume' (Succeeded, Id=a13b0155-03a4-4031-a65c-e07d00166c23)
- Edited by raskh Thursday, May thirty, 2019 7:42 AM
I have edit the postal service by removing the personal data.
Thanks for the edit.

Please let me know how to solve this fault
Hi Raskh,

I expect at the logs from Azure role side and they seem fine. I will involve Azure AD team and share the findings.
Hello Raskh,

1. GameAzureConsume - This only works on showtime invocation .

This is using client credential flow. and when you employ client credential menses , y'all simply go a admission token , you exercise not go a accessToken-refreshToken token pair. Access token is generally valid for one hour. I retrieve , if you would take noticed the first invocation might be running for an hour and after an hour information technology would cease working . This is the probable cause of the same.

2. GameAzureToken - This always works

I am not sure which flow you are using with this . If you are using customer credentials flow here likewise and its working , so ther may be some actress logic which would send a request for a new access token every 1 hour.

I think this to be the outcome in all probability . however if the above logic does not help you lot , please send united states of america an e-mail in azcommunity[at]microsoft[dot]com and nosotros will help you with alternate support channels .

Thank you .

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicative. Cheers!!
I think , if you would take noticed the first invocation might exist running for an 60 minutes and after an hour it would stop working . This is the probable cause of the same.

There seems to be some confusion. I practice not think this has anything to practice with the validity of the access tokens.

The role runs ok on the first invocation. This takes less than a minute to complete. And so if I try to run the function once again , so this is at present 2d invocation and all invocations thereafter , it fails because I get the exception mentioned higher up while trying to get a new Azure token.

2. GameAzureToken - This e'er works

This function also gets an Azure token using the aforementioned code and yet there are no problems here

I take at present removed the try catch block so that you lot can see the function fail. Fabricated a new instance of the role app.

The function but "succeeded" earlier because of this try catch block, merely every bit i mentioned before an exception was caught and I have written most this exception in an earlier post.

Details are as follows :

2019-06-04T18:31:09.209 [Error] Executed 'GameAzureConsume' (Failed, Id=c6cd6c33-9c00-4f82-9483-dd0c147b1872)
The remote document is invalid according to the validation procedure.

Region : West India
Just checking if you have the support plan to raise the support asking.

Due to the unique characteristics of your issue, we feel it would be best if this issue is worked one on one with a support engineer hence I would recommend you to raise a support asking.
- Edited by DixitArora-MSFT Microsoft employee Thursday, June 6, 2019 v:17 AM