Connect via PE - Disable Proxy - Authentication Failed (Self signed certificate in certificate chain)

[KennyM86]

Preflight Checklist

• I have installed the latest version of Storage Explorer.
• I have checked existing resources, including the troubleshooting guide and the release notes.
• I have searched for similar issues.

Storage Explorer Version

1.23.0

Regression From

No response

Architecture

x64

Storage Explorer Build Number

20220223.14

Platform

All

OS Version

Windows 10

Bug Description

When disabling proxy server to be able to connect to storage account via Private Endpoint, re-authentication is needed and fails.

After authenticating, it gives the following error message:
{
"message": ""{\n \"name\": \"Error\",\n \"message\": \"self signed certificate in certificate chain\",\n \"stack\": \"Error: self signed certificate in certificate chain\\n at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)\\n at TLSSocket.emit (node:events:394:28)\\n at TLSSocket._finishInit (node:_tls_wrap:944:8)\\n at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12)\",\n \"code\": \"SELF_SIGNED_CERT_IN_CHAIN\"\n}""
}

Enabling proxy = Working authentication, but access storage via public endpoint
Disabling proxy = Authentication not working

Steps to Reproduce

1. Launch storage explorer
2. Disable proxy
3. (restart app)
4. Message that states account need to re-authenticate
5. click re-authenticate now
6. complete authentication
7. Error shows

Actual Experience

{
"message": ""{\n \"name\": \"Error\",\n \"message\": \"self signed certificate in certificate chain\",\n \"stack\": \"Error: self signed certificate in certificate chain\\n at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)\\n at TLSSocket.emit (node:events:394:28)\\n at TLSSocket._finishInit (node:_tls_wrap:944:8)\\n at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12)\",\n \"code\": \"SELF_SIGNED_CERT_IN_CHAIN\"\n}""
}

Expected Experience

Login succesfull
Access Storage Account via PE

Additional Context

No response

[KennyM86]

I've found the similar link : https://github.com/CawaMS/StorageExplorerTroubleshootingGuide/blob/master/se-troubleshooting-guide.md#self-signed-certificate-in-certificate-chain

After executing: Execute s_client -showcerts -connect microsoft.com:443

I found no self-signed certs are used. ("No client certificate CA names sent")

[craxal]

@KennyM86 Please update your version of Storage Explorer to the latest available (1.33.1 as of today). 1.23.0 is quite old (almost 3 years old) and is no longer supported. Storage Explorer has received major improvements since then.

If you are still encountering issues after upgrading, here are some things you can try:

• Is your "Auto Manage Proxy Settings" setting enabled or disabled? Try toggling this setting to see if anything changes.
• Have you ever imported any certificates? You can check to see via the Edit > SSL Certificates > View Imported Certificates menu. If you have anything there, you may need to remove them.
• When connecting to the public endpoint, how are you configuring Storage Explorer to use your proxy? Are your proxy settings set to "Use system proxy"? Does your system normally use a proxy?
• Can you please turn on "Verbose Authentication Logging", retry your scenario, and provide app and auth logs?

[JasonYeMSFT]

I've found the similar link : https://github.com/CawaMS/StorageExplorerTroubleshootingGuide/blob/master/se-troubleshooting-guide.md#self-signed-certificate-in-certificate-chain

After executing: Execute s_client -showcerts -connect microsoft.com:443

I found no self-signed certs are used. ("No client certificate CA names sent")

The message you referenced is expected. As far as I know, our error is about SSL certificates (aka. server certificates). They are different from client certificates. To send client certificates, there should have been a -cert argument in the openssl command. You should look at the server certificate(s) in the command output and see if there are any self-signed certificates. Let us know if you don't see any server certificates in the command output.

[KennyM86]

@craxal

Ah, I thought I always updated 'on close' but indeed it did nothing in the past apparently. I manually updated to latest version but problem still exists.

• Auto Manage Proxy Settings was enabled, try by disabling, but no effect.
• Yes, I followed the steps of the link provided and added 2 certificates found. Removing them again, did not change outcome.
• System Proxy allows me to login but then it goes through internet (by design of proxy) which is not desired. (Public endpoint disabled); Do not use Proxy, gives me the cert chain error on re-authentication of my account. I now also tried app proxy and the setting to bypass certain URLs where I added the storage endpoints. That way I can login, but then the cert chain error appears when trying to unfold the blob containers of the specific storage account :-(

Unable to retrieve child resources

ProducerError:{
  "name": "Node Fetch Error",
  "message": "{\"name\":\"Node Fetch Error\",\"cause\":{\"cause\":{\"code\":\"SELF_SIGNED_CERT_IN_CHAIN\"}},\"code\":\"SELF_SIGNED_CERT_IN_CHAIN\"}"
}

@JasonYeMSFT :
Ok, I did found two certificates:

• Microsoft Azure RSA TLS Issuing CA 03
• DigiCert Global Root G2
  Which I added to the SSL certs; but it also made no difference :-(
  servicehub.zip
  2024-04-26_084248.zip

[MRayermannMSFT]

@KennyM86 your best bet with certificate errors is to stay in system proxy mode, and try to work things out using that. However, it does sound like you have quite a bit unique network constraints going on here. At this point I would recommend you open an Azure support ticket via the portal.