Open Closed

Issue Deploying SSL & Authentication Server to Linux Docker Container #2536


User avatar
0
thedatacrew created

Hi,

We are using the Microservices Template on APB 5.1.3. and have encountered an issue when deploying to a Linux container.

On container startup, we get the following issue:-

Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.IdentityServer.AbpIdentityServerDomainModule, Volo.Abp.IdentityServer.Domain, Version=5.1.3.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
 ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
   at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents)
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password, Boolean ephemeralSpecified)
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password, Boolean ephemeralSpecified)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, ICertificatePal& readPal, List`1& readCerts)
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException)
   at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at DataAdmiral.AuthServer.DataAdmiralAuthServerModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in /src/apps/auth-server/src/DataAdmiral.AuthServer/DataAdmiralAuthServerModule.cs:line 93
   at DataAdmiral.AuthServer.DataAdmiralAuthServerModule.<>c__DisplayClass0_0.<PreConfigureServices>b__1(IIdentityServerBuilder builder) in /src/apps/auth-server/src/DataAdmiral.AuthServer/DataAdmiralAuthServerModule.cs:line 76
   at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options)
   at Volo.Abp.IdentityServer.AbpIdentityServerDomainModule.AddIdentityServer(IServiceCollection services)
   at Volo.Abp.IdentityServer.AbpIdentityServerDomainModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   --- End of inner exception stack trace ---
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
   at DataAdmiral.AuthServer.Program.Main(String[] args) in /src/apps/auth-server/src/DataAdmiral.AuthServer/Program.cs:line 27

It cannot read the PFX file that has been generated by .NET.

Please could you look into this

Thanks


4 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    If you want to use self-signed certificate, you need to use openssl. You can check Create Developer Certificates docs.

  • User Avatar
    0
    thedatacrew created

    Hi,

    Also I'm talking about the AuthServer cert autherserver.pfx which is created on deployment and opens and reads the autherserver.pfx as it's signing cert. This looks to be a different certificate from the hosting certificates.

    Is the dockerfile incorrect?

  • User Avatar
    0
    thedatacrew created

    What is the significance of the block of code in the Auth Server, it doesn't run if it is in development mode, however it still works if it's in development mode.

    When is not in development mode i.e. Staging/Release is it creating a new local host certificate to use here, should we be using a proper signing cert here, what's it used for?

    There is very little documentation on prepping this for a production deployment.Brifiely mentioned here https://docs.abp.io/en/commercial/5.0/startup-templates/microservice/applications#deployment-configurations

    Thanks

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Basically, it is used to sign the tokens.

    For development environment, it uses a temporary rsa key (tempkey.rsa) for signing the tokens. You can also use self-signed certificate for development environment as well. For staging or production, you need to use a real certificate (not temp key) to sign the tokens.

    For more information, you can check identityserver docs.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11