Share via

NotSslRecordException exception when retrieving appId sending request to https://.../appId via proxy

Simone Giusso 0 Reputation points
2025-07-17T08:05:47.6433333+00:00

I've a service running on-premises where I've integrated the ApplicationInsights agent to sent minoring data to azure.

I've also configured the agent to go throw a proxy since it's the only way for the service to access the external network.

When running the app everything looks fine. I can see the data are sent in Azure under live metrics in application insights.

However at the start of the app and from time to time I get a NotSslRecordException. This happens when the app is trying to get the appId (this is what I infer from the error).

If I convert the byte to String I can see a BadRequest response (400). I'm not sure why the agent is able to send metrics but this specific request fails...

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 13,330 Reputation points Volunteer Moderator
    2025-07-17T10:44:03.2233333+00:00

    Simone Giusso hi,

    the agent tries to get appId from https://.../appId before sending data. if proxy messes up ssl tunneling, boom - u get garbled bytes instead of proper ssl handshake. hence the 'not ssl record' scream.

    try forcing tls 1.2 in your jvm args

    -Dhttps.protocols=TLSv1.2 -Djavax.net.debug=ssl

    the debug flag will spill all ssl tea if u need details )) as well check this - some proxies freak out with http 1.1 chunks. add these to your ai agent config

    <HttpProxy> <UseSystemProxy>true</UseSystemProxy> <ProxyAuthenticate>false</ProxyAuthenticate> </HttpProxy>

    full config options https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-standalone-config

    about that 400 bad request - sometimes proxy strips headers or mangles payload. worth looking into proxy logs for these requests. u can tweak that too by setting custom user agent

    -Dapplicationinsights.agent.http.userAgent=YourApp/1.0

    try bypassing proxy just for appid fetch (if network rules allow)

    -Dapplicationinsights.agent.appIdEndpoint=https://dc.services.visualstudio.com/api/profiles/{0}/appId -Dno_proxy=dc.services.visualstudio.com

    verify proxy ssl inspection policies. some corporate proxies do 'helpful' midstream decryption that breaks ssl flows ))

    give that a try and see if the errors calm down. if not, lmk

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    0 comments
  2. Rashmika Inagadapa 0 Reputation points Microsoft External Staff Moderator
    2025-08-11T08:24:03.32+00:00

     Hi Simone Giusso,

    Adding few more additional details to the answer provided by Alex Burlachenko,

     This NotSslRecordException when trying to fetch the appId is an indication of a proxy misconfiguration, likely due to a discrepancy to how your proxy handles different Azure Monitor endpoints. The core issue is that your proxy is sending a non-SSL response (the HTTP 400 Bad Request) over a connection where the Application Insights agent is expecting an SSL handshake.

    Below are the series of steps to troubleshoot the issue:

    __1.__Verify Network Connectivity to Azure Monitor Endpoints by running the below command in PowerShell to ensure you reach the appId endpoint and it should return TcpTestSucceeded : True

    Test-NetConnection -ComputerName dc.services.visualstudio.com -Port 443

     

    2. Ensure the JVM is negotiating with TLS 1.2, as older protocols may be blocked by Azure or the proxy:

    -Dhttps.protocols=TLSv1.2

     

    3. Inspect the handshake process by enabling the SSL Debug Logging and check where it fails:

    -Djavax.net.debug=ssl

    The logs show detailed TLS negotiation, certificates exchanged, and any protocol errors.

     

    4. Update the HTTP proxy settings in your Application Insights configuration by suing the following command:

    <HttpProxy>

        <UseSystemProxy>true</UseSystemProxy>

        <ProxyAuthenticate>false</ProxyAuthenticate>

    </HttpProxy>

     For more information refer here: Configuration options - Azure Monitor Application Insights for Java - Azure Monitor | Microsoft Learn

     

    5.Some proxies strip headers or change payloads, causing 400 Bad Request. Confirm the proxy logs to check whether:

    ·       HTTPS requests to dc.services.visualstudio.com are allowed

    ·       Headers are intact

    ·       SSL inspection is disabled for this domain.

     

    6. From the application host, run the proxy to see where the failure occurs to test Endpoint Connectivity

    curl -v https://dc.services.visualstudio.com/api/profiles/<ikey>/appId

    This is the exact endpoint the Application Insights Java Agent calls to retrieve the appId and <ikey> is your Application Insights Instrumentation Key.

     

    7. Check for SSL Inspection Policies

    Some corporate proxies often intercept HTTPS traffic (SSL inspection) and replace the server’s certificate with their own. If this is happening, your JVM won’t trust the certificate, causing NotSslRecordException.

    ·       Import the proxy’s CA certificate into the JVM truststore.

    ·       Or whitelist dc.services.visualstudio.com from inspection so that the proxy doesn’t intercept it.

    For more information refer here: Azure Monitor endpoint access and firewall configuration - Azure Monitor | Microsoft Learn.

    Applying the above steps will help you fix the issue. Let me know if you require any additional help or assistance by tagging me in the comments. I am happy to help you with the queries.

    Thanks,

    Rashmika

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.