Private CA with KEYVAULT-ACMEBOT - How to add root-cert to trust store

[Charrany]

I'm deploying a private CA on AKS along side with Keyvault Acmebot to automate the issuance and renewal of ACME SSL/TLS certificates.

The acmebot Azure function is able to find/ping the CA service (in AKS).
The CA service is exposed with an internal LoadBalancer and private domaine name.

I added the root-cert and the intermediate-cert here:

But when I tried to add a certificate, I had Exception while executing function: IssueCertificate:
Orchestrator function 'IssueCertificate' failed: The activity function 'Order' failed: "Exception of type 'System.Net.Http.HttpRequestException' was thrown.".

And the problem is that The SSL connection could not be established, see inner exception..

• Inner exception: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

• The problem ID: System.Security.Authentication.AuthenticationException at ACMESharp.Protocol.AcmeProtocolClient+<SendAcmeAsync>d__59.MoveNext

So i want to know:

• Is acmebot-keyvault function able to detect the changements in the Trusted Root Store when it's launched?
• Is there a way to get around this issue?
• Is there a way to add a custom ca somewhere in acmebot ? We looked at acmesharp lib as well, but the changes doesn't look obvious.

[shibayan]

Azure Functions cannot validate TLS certificates issued from its own CA because it cannot add its own certificates to the Windows trust store.

The only way to work around this is to disable TLS certificate validation on ACME requests, but Acmebot does not implement such an option.

[Charrany]

Thank you so much @shibayan