Container App reacts with "connection reset by peer" when configured with a EC P-384 certificate but works with RSA certificate

[jurjenoskam]

This issue is a: (mark with an x)

• [X] bug report -> please search issues before submitting
• [ ] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Issue description

Connecting to a Container App using its custom domain results in a "connection reset by peer" when the custom domain is configured to use a EC P-384 certificate. The exact same app works when the custom domain binding is updated to use an RSA certificate. The only difference is the certificate algorithm, everything else is exactly the same (including the custom domain).

Steps to reproduce

1. In an Azure Key Vault, create two certificates named aca-demo-ne-osk-am-rsa and aca-demo-ne-osk-am as follows:

   
   $Policy = New-AzKeyVaultCertificatePolicy `
   -IssuerName 'Unknown' `
   -SubjectName "CN=aca-demo-ne.osk.am,O=Stupendous Enterprises,C=NL" `
   -DnsName "aca-demo-ne.osk.am" `
   -SecretContentType "application/x-pkcs12" `
   -KeyType RSA `
   -KeySize 2048

Add-AzKeyVaultCertificate -VaultName 'cccjokvacane' -Name 'aca-demo-ne-osk-am-rsa' ` -CertificatePolicy $Policy

and

$Policy = New-AzKeyVaultCertificatePolicy -IssuerName 'Unknown' -SubjectName "CN=aca-demo-ne.osk.am,O=Stupendous Enterprises,C=NL" -DnsName "aca-demo-ne.osk.am" -SecretContentType "application/x-pkcs12" -KeyType 'EC' -Curve 'P-384'

Add-AzKeyVaultCertificate -VaultName 'cccjokvacane' -Name 'aca-demo-ne-osk-am' ` -CertificatePolicy $Policy

(Note that the only difference is the KeyType and Curve/KeySize arguments.) Then use whatever method to get the certificates signed by a publicly trusted CA. (I used Let's Encrypt)
2. Create a Container App Environment (mine is VNet-integrated, not sure whether that's relevant)
3. Assign it a User Assigned Managed Identity (UAMI)
4. Make sure that the Container App Environment can reach and has permissions to the Key Vault.
5. Add the two certificates to the Container App Environment by using the "import from Key Vault" option in the Azure Portal.
6. Create a Container App. (For testing I used the quickstart image)
7. Open a console on the container app, execute `curl <url of the app>` and note that it works (you get the quickstart page)
8. Add a Custom Domain to the Container App using the "Bring your own certificate" method. For domain name, I've used `aca-demo-ne.osk.am` as that's what I used for testing.
9. Select the certificate named `aca-demo-ne-osk-am`.
10. When the certificate is added, open a console again and execute `curl -k https://aca-demo-ne.osk.am/`. Note that curl immediately reports "connection reset by peer".
11. On the Custom Domains page of the app, update the binding to use the other certificate (`aca-demo-ne-osk-am-rsa`).
12. Now go back to the console and try the same curl command again. It now works.

I noticed the same behavior from outside the Container App Environment. I've created an Application Gateway in the ACA Vnet, and when the app is configured with the EC-P384 certificate my backend probe fails with the message that a connection to the backend can't be established. When the app is configured to use an RSA certificate, the probe works.

Also note that the EC P-384 itself certificate is perfectly fine: I configured it on the frontend of the Application Gateway where it just does what it should.

**Expected behavior** [What you expected to happen.]
A clear error message when a certificate is supplied that the Container App Environment can't work with.

**Actual behavior** [What actually happened.]
No errors or warnings are reported when configuring the certificate, but incoming connections to a container app are simply cut off by resetting the TCP connection.

**Screenshots**         
If applicable, add screenshots to help explain your problem.

### Additional context
Ex. Did this issue occur in the CLI or the Portal?

[anthonychu]

P-384 is currently unsupported by our ingress proxy. We'll investigate whether we can add it. We do support P-256.

[jurjenoskam]

@anthonychu Thank you, but the problem is not that P-384 isn't supported. The problem is that it is possible to install unsupported certificates without any error message at all and that connections to the app are then silently dropped, also without any notification or error message. This, combined with the fact that the documentation doesn't mention which certificate types are supported and which aren't makes this something that people can waste hours on trying to debug.

[simonjj]

Thank you for clarifying this @jurjenoskam. Makes sense, we will be adding this. Labeled accordingly.