Reverse Proxy returning 502 on requests to app service using client certificate authentication

[sharvaridesai123]

We are using YARP to redirect traffic from a web application in Azure to an app service in Azure that uses MTLS authentication. The error received is 502 ( bad gateway).
Code from the startup in web application:
In ConfigureServices:

   var routes = new[]
           {
               new ProxyRoute()
               {
                   RouteId = "route1",
                   ClusterId = "cluster1",
                   Match = new ProxyMatch
                   {
                       Path = "/api/{*any}"
                   }
               }
           };
           var serviceUrl= Configuration["serviceUrl"];
           var cert = GetClientCertificate();
           var clusters = new[]
           {
               new Cluster()
               {
                   Id = "cluster1",
                   SessionAffinity = new SessionAffinityOptions { Enabled = true, Mode = "Cookie" },
                   Destinations = new Dictionary<string, Destination>(StringComparer.OrdinalIgnoreCase)
                   {
                       { "destination1", new Destination() { Address = serviceurl} }
                   },
                   HttpClient = new ProxyHttpClientOptions { ClientCertificate = cert, MaxConnectionsPerServer = 10, SslProtocols = SslProtocols.Tls12 }
               }
           };

           services.AddReverseProxy()
               .LoadFromMemory(routes, clusters);
               
                **In Configure:**
                
                 app.UseEndpoints(endpoints =>
           {
              
               endpoints.MapReverseProxy();
           });

The destination service has Client certificate mode turned on to Required and the validation of the cert is done in the x-arr-clientcert header of the request.
What am I missing? The request that is routed to the service is a HttpGet.

[Tratcher]

First you'll want to capture the server logs to see what the full error was.
https://github.com/microsoft/reverse-proxy/blob/c3c0407b613286734cfb9d37102a933840a7f2d1/samples/ReverseProxy.Config.Sample/appsettings.json#L7-L13
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-5.0#configure-logging

[Tratcher]

HTTP/2 disallows lazy client certificate negotiation (e.g. per request), client certs have to be negotiated at the start of the connection. How do you have the client cert requirement configured on the destination?

[sharvaridesai123]

Client Cert Mode is Set to "Required" in the destination app service.

[Tratcher]

Hmm, that's something you'll need to investigate through app service.

[hchunter]

HTTP/2 disallows lazy client certificate negotiation (e.g. per request), client certs have to be negotiated at the start of the connection. How do you have the client cert requirement configured on the destination?

What would cause the client cert to be lazy-loaded? We retrieve the cert from the X509Store on the app service and then attach it using the ProxyHttpClientOptions in the cluster before it is loaded from memory.

using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadOnly))
            {
                var certificate = store.Certificates
                    .OfType<X509Certificate2>()
                    .FirstOrDefault(c => c.Subject.Contains(certificateName, StringComparison.OrdinalIgnoreCase));
                if (certificate == null)
                {
                    throw new Exception($"Certificate {certificateName} not found!");
                }

                return certificate;
            }

[Tratcher]

Lazy client cert negotiation is a server setting, not a client setting. You'll have to investigate your configuration on the destination app.