HTTP Error 502.3 - Bad Gateway A security error occurred  [Answered]RSS

13 replies

Last post Jan 19, 2012 05:06 AM by Adrian B.

  • HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 24, 2011 05:43 PM|xxyyzz|LINK

     I am using AAR and URL Rewite. I got HTTP to work now I am trying HTTPS and I get the above error.

    The Detailed Error Information is 

    Module ApplicationRequestRouting
    Notification ExecuteRequestHandler
    Handler ApplicationRequestRoutingHandler
    Error Code 0x80072f8f

    I ran Microsoft Network Monitor and saw the following error in the trace

    MicrosoftWindowsWebIO: 0x00000000014F0650: SSL Cert Validation Failure - Unable to Get Cert Chain (Error: Unknown value: 1) Context Handle(3533168 (0x35E970):21343648 (0x145ADA0)) (IgnoredServerCertErrors 4224 (0x1080)) (CertErrors 256 (0x100))

     

    When I go directly form IE on the same PC that IIS 7 is running to the end server (ie I bypass AAR and URL Rewite) It works fine, so I am assuming (probably a big mistake) that my certificates are ok.

     Any Help/Ideas?

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 26, 2011 01:35 PM|owjeff|LINK

    Do you have the certificate installed on the ARR server? Did you enable SSL offload?

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 27, 2011 02:41 PM|xxyyzz|LINK

     I have a CA on the ARR. My understanding is that the certificate is on the server and it is sent to the ARR when a SSL connection is established.

    Yes SSL offload is enabled

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 27, 2011 02:58 PM|owjeff|LINK

    You need to install the actual certificate that is in use on the content node on the ARR node as well. Then, you need to create a binding in IIS on the IP for that site and select the site's certificate on the ARR node. The backend request will use whatever protocol you have specified in the URL rewrite rule (typically just HTTP):

    http://blogs.iis.net/wonyoo/archive/2008/07/10/ssl-off-loading-in-application-request-routing.aspx

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 27, 2011 05:14 PM|xxyyzz|LINK

     I need to do HTTPS to the back end server. It seems the problem is happening when the ARR is establishing an SSL connection to the backend server. In this case the ARR is the client and the back end server is the server in the SSL connection.

    So the certificate needs to be on the server???

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 27, 2011 09:14 PM|owjeff|LINK

    If the original request from the end-user needs to be SSL, then the certificate needs to be on the ARR server as well. However, from the sounds of it, the issue does seem to be the response from the content node to ARR. What happens if you pull up the URL in question in a browser on the ARR node?
    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 08:55 AM|xxyyzz|LINK

     If I go directly from my browser to the back end server using HTTPS everything works fine.

    Its when I introduce ARR as a reverse proxy that i have a problem

    I believe the order of events is as follows.

     

    Browser makes HTTPS request to ARR.

    ARR send certificate to Browser.

    Browser verifies certificate using its CA.

    (up to this point everything is fine)

    ARR makes HTTPS request to back end server

     Back end Server sends certificate to ARR

    *** Here is the problem

    ARR should verify certificate using its CA (this is where the error occurs)

     

     

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 09:27 AM|owjeff|LINK

    xxyyzz

    Back end Server sends certificate to ARR

    *** Here is the problem

    That's why I asked what happens if you load the page from the ARR nodes to the back end server in a browser (ie. login to the ARR node via RDP and open Internet Explorer, then load the backend page). That should, in effect, be replicating what ARR is doing.

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 09:44 AM|xxyyzz|LINK

     When I use IE directly to the back end server - it works fine.

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 10:12 AM|owjeff|LINK

    Error 0x80072f8f and your network trace clearly show a certificate chain problem, so I'm not sure why it's working in the browsers. If you view the certificate and look at the actual certificate chain, are the root and intermediate CA's in your certificate store on the backend and ARR nodes?
    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 11:07 AM|xxyyzz|LINK

     Im not sure how to actually view the certificate chain

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Mar 28, 2011 11:12 AM|owjeff|LINK

    Your SSL certificate provider should have specific instructions on what certificates need to be in the intermediate and root stores on the server. You can access the certificate store using the Certificates MMC snap-in (certmgr.msc).
    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Nov 18, 2011 12:03 PM|Vimm|LINK

    I'm having the exact same issue.  As xxyyzz stated, when connecting directly to a backend server it works fine so I doubt it's a bad certificate chain.  The issue is only when routing through the ARR server.  I've managed to find a forum post with a reasonable explanation here: http://forums.iis.net/t/1157253.aspx  He states that ARR does not forward the client certificate.  So, if the backend server requires a client cert the request will fail.  He suggested that the ARR server forward the certificate details in headers and be reconstructed on the backend server, but wouldn't that leave the backend servers vulnerable to spoofing via a direct connection?  Maybe if they were behind a firewall to only accept connections from the ARR server...


    Maybe one day Microsoft will allow ARR to forward client certificates, otherwise it looks like if you're doing client certificate authorization ARR is not a good fit.

  • Re: HTTP Error 502.3 - Bad Gateway A security error occurred

    Jan 19, 2012 05:06 AM|Adrian B.|LINK

    Hi. Faceing the same problem. Possibly you use self signed certificates? Possibly than the process is not able tom read your trusted certificate store?