App Service builds behind proxies: fixing trust with a public certificate

2 minute read • By Tulika Chaudharie • September 8, 2025

TL;DR: If your organization uses a TLS-inspecting proxy (e.g., Zscaler), some of the traffic originating from App Service build infrastructure may be re-signed by the proxy. App Service doesn’t trust that proxy cert by default, so the build fails. Set the app setting WEBSITE_INSTALL_PUBLIC_CERTS_IN_KUDU=true and upload the proxy’s public certificate (.cer). App Service will install the certificate and your builds will succeed.

Why this happens

During build, App Service downloads build assets from the its build CDN over HTTPS. When a corporate proxy intercepts and re-signs TLS, App Service sees a certificate chain it doesn’t recognize and refuses the connection, causing the build to fail.

What’s new

A new app setting, WEBSITE_INSTALL_PUBLIC_CERTS_IN_KUDU, tells App Service to install any public key certificates (.cer) you upload into its trust store used for the build.

Step-by-step

1) Upload the proxy’s public certificate

In the portal, navigate to your Web App ➜ CertificatesPublic key certificates (.cer)Add certificate. Upload the organization’s TLS inspection CA (root or intermediate) public certificate.

Add Certificate

Tip: This is a public certificate only—no private key and no password.

2) Turn on the app setting

Portal: ConfigurationApplication settings ➜ add (Or SettingsEnvironment VariablesApp Settings ➜ Add) WEBSITE_INSTALL_PUBLIC_CERTS_IN_KUDU = trueSave. This will automatically restart the app.

CLI (equivalent):

az webapp config appsettings set \
  -g <resource-group> -n <app-name> \
  --settings WEBSITE_INSTALL_PUBLIC_CERTS_IN_KUDU=true

3) Verify the certificate is installed

Open Advanced Tools (Kudu)Bash and check:

ls -l /etc/ssl/certs
# (optional) find the installed cert by name or subject
grep -l "<certificate-name>" /etc/ssl/certs/*.crt 

# compare thumbprint
openssl x509 -in /etc/ssl/certs/<your-cert>.crt -noout -fingerprint -sha1

Compare the fingerprint with the thumbprint shown for your uploaded cert in the Certificates blade.

4) Trigger a build

Deploy again (Deployment Center, GitHub Actions, az webapp deployment, etc.). When the proxy presents its certificate, App Service now trusts it and the application build completes.

Troubleshooting

  • Still seeing x509/certificate unknown errors? Ensure you uploaded the exact CA that signs your proxy’s certs (often an org-specific intermediate), in .cer (DER/BASE64) form.

  • Multiple proxies / chains If your environment uses a chain, upload all relevant public CA certs.

  • Scope This affects App Service build infrastructure’s outbound trust for the app. It does not grant trust to private keys or change TLS for your site’s inbound traffic.

Summary

By uploading your organization’s proxy CA public certificate and enabling WEBSITE_INSTALL_PUBLIC_CERTS_IN_KUDU, App Service for Linux installs the certificate into its trust store. App Service can then fetch dependencies through Zscaler (or similar proxies) and your builds proceed normally—no more failed builds due to untrusted certificates.

You may also enjoy

Deploy LangChain applications to Azure App Service

4 minute read • By Tulika Chaudharie • August 6, 2025

LangChain is a powerful framework that simplifies the development of applications powered by large language models (LLMs). It provides essential building blo...