Failed to validate certificate issued to 'CN=mediapaas-api-mp.pub.ngcmtls.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US'. Error Message = 'Certificate ...

[sprinter707]

Describe the issue

Hello, I am using the service based on the echobot source code. It has been used normally until recently, but the problem has been occurring since two weeks ago. PartialChain errors continue to occur during certificate verification.

I added the certificate as an intermediate certificate authority by referring to these pages, but the error still occurs.

How solve this prolem, please help me.

https://github.com/microsoftgraph/microsoft-graph-comms-samples/issues/125 https://learn.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes https://www.microsoft.com/pki/mscorp/cps/default.htm

info: EchoBot.Services.Http.MicrosoftGraphService[0]
      Code: 8522
      Message: Call not found.
      Inner error:
        AdditionalData:
        date: 2024-09-23T02:00:35
        request-id: 283fc7fb-7112-4abc-a673-d79a1f8cf205
        client-request-id: 283fc7fb-7112-4abc-a673-d79a1f8cf205
      ClientRequestId: 283fc7fb-7112-4abc-a673-d79a1f8cf205

info: EchoBot.Services.Http.RedisMeetingManager[0]
      Call info not found.
info: EchoBot.Services.Http.Controllers.JoinCallController[0]
      joinUrl : https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj%40thread.v2/0?context=%7b%22Tid%22%3a%22fab2d60f-e614-4f9d-b2ad-9fb1397f2efe%22%2c%22Oid%22%3a%2270673a55-c516-42dc-98a9-4aaafef5a5cb%22%7d
info: EchoBot.Services.Bot.BotService[0]
      AuthenticationProvider: Generating OAuth token.
info: EchoBot.Services.Bot.BotService[0]
      AuthenticationProvider: Generated OAuth token. Expires in 10.8645696316667 minutes.
info: EchoBot.Services.Persistence.RedisClient[0]
      ContainsKey - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:55.0160000
info: EchoBot.Services.Persistence.RedisClient[0]
      GetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:55.0150000
info: EchoBot.Services.Persistence.RedisClient[0]
      SetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9990000
info: EchoBot.Services.Persistence.RedisClient[0]
      ContainsKey - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9980000
info: EchoBot.Services.Persistence.RedisClient[0]
      GetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9960000
info: EchoBot.Services.Persistence.RedisClient[0]
      SetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9990000
info: EchoBot.Services.Bot.BotService[0]

[SyncBotStatus] Add (or Update) a item in MeetingMap : (ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj : True)
info: EchoBot.Services.Bot.BotService[0]
      Call creation complete: 14008880-2638-444f-a557-ddcf52bec33f
info: EchoBot.Services.Http.Controllers.JoinCallController[0]
      JoinCallAsync called
info: EchoBot.Services.Persistence.RedisClient[0]
      SetHashEntries - bot-join-call:14008880-2638-444f-a557-ddcf52bec33f TTL : 365.00:00:00
info: EchoBot.Services.Persistence.RedisClient[0]
      ContainsKey - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9920000
info: EchoBot.Services.Persistence.RedisClient[0]
      GetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9860000
info: EchoBot.Services.Persistence.RedisClient[0]
      SetHashEntries - meeting:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj TTL : 364.23:59:59.9990000
info: EchoBot.Services.Persistence.RedisClient[0]
      SetHashEntries - invite-history:ZmM5YmVlZTktYmFiMy00NGNmLWE2Y2UtNmVlMTNiNTMzNDhj_c5c048cb-8e86-452a-a085-d9b2eb35f494 TTL : 365.00:00:00
fail: EchoBot.Services.Http.BotMediaLogger[0]
      [AvMP][AppId:0d4bb9b9-e2c2-4f20-8b1c-f7b84c711130] TL_ERROR(TF_COMPONENT) [vm-aoai-kc-az1-]11260.146::09-23-2024-02:00:36.590.00000004 (MPSERVICEHOSTLIB,ValidateChain:CustomCertificateValidator.cs(186)) Failed to validate certificate issued to 'CN=mediapaas-api-mp.pub.ngcmtls.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US'. Error Message = 'Certificate 'C85CD139817D9368DEEAF6C68F934BD04D9F9C1C' verification failed: 

Code Snippet Insert the code snippet if any.

Expected behavior A clear and concise description of what you expected to happen.

Graph SDK (please complete the following information):

• Version [e.g. 22]

Call ID Provide the list call ids that encountered this issue. Include the time in UTC/GMT when these call have occurred.

Logs If required, please add logs from the SDK. (Please remove any PII from the logs before uploading)

Additional context Add any other context about the problem here.

[ssulzer]

Hi @sprinter707 It looks like you were able to fix your bot? It appears to be running successfully for the past week. Thanks. The bot's VM must support, in particular, the "Microsoft Azure RSA TLS Issuing CA 0x" Subordinate/"Intermediate" Certificate Authorities published here: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list#subordinate-certificate-authorities

[sprinter707]

Thanks for the reply.

Yes, I solved the problem.

I captured the network packets and analyzed them.

and found The firewall policy was blocking requests to "Microsoft Azure RSA TLS Issuing CA 0x".

So I downloaded the certificate from https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list#subordinate-certificate-authorities

and installed it on the server.