Share via

SSL error between self-hosted gateway and Azure

maurits moehn 0 Reputation points
2025-12-24T12:59:39.5166667+00:00

Hi, I’m running into some issues while setting up an API Management instance together with a self-hosted gateway. The self-hosted gateway is running locally on OpenShift, while the API Management instance is hosted in Azure in internal mode.

I’ve configured DNS so that the configuration endpoint resolves to the internal IP address, and I’ve double-checked the firewall rules. However, I’m now getting the following error:

TLS connect error: SSL routines: unexpected eof while reading

Could this be caused by an outbound proxy that intercepts traffic and replaces the TLS certificate? If so, Azure might be seeing a different certificate than the one it expects, which could explain the TLS handshake failure.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 4,755 Reputation points Microsoft External Staff Moderator
    2025-12-24T17:45:04.9466667+00:00

    Hi @maurits moehn ,

    TLS connect error: SSL routines: unexpected eof while reading

    The error occurs when there is a problem with the TLS connection between your self-hosted gateway and the Azure API Management service, possibly due to issues like certificate validation.

    Steps to troubleshoot the issue:

    1. If you're suspecting that an outbound proxy is intercepting the traffic and replacing the TLS certificate, you should check whether any proxy settings are configured in your OpenShift environment. If there's a proxy, ensure that it allows the traffic to go to Azure without modifying the TLS handshake.
    2. Make sure the TLS certificate used by your self-hosted gateway is valid for the internal API Management endpoint. Validate that the certificate is not expired and that the certificate chain is complete, including all intermediate certificates.
    3. If you're using a private Certificate Authority (CA), ensure that the CA's certificate is added to the trusted root certificate authorities on the self-hosted gateway.
    4. Verify that your self-hosted gateway has the required outbound TCP/IP connectivity to Azure on port 443. Make sure the DNS configuration is set up correctly to resolve the internal IP address of the configuration endpoint.
    5. Monitor logs to capture any errors during the TLS handshake. This might provide additional context on why the handshake is failing.

    References:

    Hope it helps!

    Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

    User's image

    If you have any other questions, let me know in the "comments" and I would be happy to help you.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.