How to install app on IIS, having issues with Cryptography #4845

13 Answer(s)

• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  Hi,

  You can check this:

  https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error

  Save Cancel
• 

  1

  christian@extranerds.com created one year ago

  Hi,

  You can check this:

  https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error

  Per previous instructions, I ran dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED created a certificate and added it to root C:\inetpub\wwwroot\

  I also added to this code

  
      public override void PreConfigureServices(ServiceConfigurationContext context)
      {
          context.Services.PreConfigure<AbpMvcDataAnnotationsLocalizationOptions>(options =>
          {
              options.AddAssemblyResource(
                  typeof(EnergyToolsResource),
                  typeof(EnergyToolsDomainModule).Assembly,
                  typeof(EnergyToolsDomainSharedModule).Assembly,
                  typeof(EnergyToolsApplicationModule).Assembly,
                  typeof(EnergyToolsApplicationContractsModule).Assembly,
                  typeof(EnergyToolsBlazorModule).Assembly
              );
          });
  
          PreConfigure<OpenIddictBuilder>(builder =>
          {
              builder.AddValidation(options =>
              {
                  options.AddAudiences("EnergyTools");
                  options.UseLocalServer();
                  options.UseAspNetCore();
              });
          });
  
          var hostingEnvironment = context.Services.GetHostingEnvironment();
          var configuration = context.Services.GetConfiguration();
  
          PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
          {
              options.AddDevelopmentEncryptionAndSigningCertificate = false;
          });
  
          PreConfigure<OpenIddictServerBuilder>(builder =>
          {
              builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
              builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
              builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));
          });
      }
  
      private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, Microsoft.Extensions.Configuration.IConfiguration configuration)
      {
          var fileName = "authserver.pfx";
          var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED";
          var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
  
          if (!File.Exists(file))
          {
              throw new FileNotFoundException($"Signing Certificate couldn't found: {file}");
          }
  
          return new X509Certificate2(file, passPhrase);
      }
  

  But I still get the following exception.

  Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs: [15:24:29 INF] Starting web host. [15:24:31 FTL] Host terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 171 at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 128 at Volo.Abp.Options.PreConfigureActionList1.Configure(TOptions options) at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction) at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38

  Save Cancel
• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  The system cannot find the file specified.

  See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

  Save Cancel
• 

  1

  christian@extranerds.com created one year ago

  The system cannot find the file specified.

  See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

  I tried setting the user Load User Profile to true and started getting this exception

  Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot\' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs:
  [01:59:34 INF] Starting web host.
  [01:59:35 FTL] Host terminated unexpectedly!
  Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
   ---> System.UriFormatException: Invalid URI: The URI is empty.
     at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
     at System.Uri..ctor(String uriString)
     at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 131
     at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)
     at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options)
     at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.&lt;&gt;c__DisplayClass1_0.&lt;AddOpenIddictServer&gt;b__0(OpenIddictServerBuilder builder)
     at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
     at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
     at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
     at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
     at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
     --- End of inner exception stack trace ---
     at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
     at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
     at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
     at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
     at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38
  

  which refers to this line

  builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));

  so I added to my appsettings.json

  "AuthServer": {
    "Authority": "https://localhost:44322",
    "RequireHttpsMetadata": "true",
    "ClientId": "MyProjectName_Web",
    "ClientSecret": "1q2w3e*"
  },
  

  before that I tried just adding new Uri("https://localhost")

  but then, now I dont even get an HTTP Error 500.30 - ASP.NET Core app failed to start with an exception in Event Viewer.

  I just get a page with This page isn’t working right nowlocalhost can't currently handle this request. HTTP ERROR 500 and a refresh button

  Save Cancel
• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  Hi,

  I can't reproduce the problem, can you share a project that can reproduce this problem with me? shiwei.liang@volosoft.com thanks

  

  Save Cancel
• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  Hi,

  I can't reproduce the problem with the project you provided.

  

  Can I check it remotely?

  Save Cancel
• 

  1

  ageiter created one year ago

  I have the same error message with my deployment on Azure.

  First the certificate was not in the correct directory and I got the error message: System.IO.FileNotFoundException: Signing certificate couldn't found: C:\home\site\wwwroot\authserver-signing-certificate.pfx

  Then I copied it to the root directory of the Blazor project and so it was found, but then the error message came: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

  The error happens here: new X509Certificate2(file, passPhrase);

  Can it be that it has to do with some missing permissions?

  I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).

  Save Cancel
• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  Hi, @ageiter

  I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).

  The app templates provide the most basic way.

  The best place to store your certificates will depend on your host:

  • For IIS applications, storing the certificates in the machine store is the recommended option.
  • On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

  Some useful links

  • https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied
  • https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
  • https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-certificate-recommended-for-production-ready-scenarios

  Save Cancel
• 

  0

  ageiter created one year ago

  On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

  Unfortunately, this is not possible if the AppService is running in the App Service plan "Free". And "Load User Profile" is not applicable in this mode either. That's why I wanted to read the certificates when they are simply in wwwroot.

  Is there any other way to run the ABP app on Azure in App Service plan "Free"? I don't want to spend a lot of money for my test sites yet.

  Save Cancel
• 

  1

  liangshiwei created one year ago

  Support Team Fullstack Developer

  @ageiter

  You can use the ephemeral key for testing: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-an-ephemeral-key

  PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
  {
      options.AddDevelopmentEncryptionAndSigningCertificate = false;
  });
  
  PreConfigure<OpenIddictServerBuilder>(builder =>
  {
      builder.AddEphemeralEncryptionKey();
      builder.AddEphemeralSigningKey();
  });
  

  BTW, I recommend you to read this document: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html

  Save Cancel
• 

  0

  ageiter created one year ago

  That works, thank you @liangshiwei!

  Save Cancel
• 

  2

  christian@extranerds.com created one year ago

  Hi,

  I can't reproduce the problem with the project you provided.

  

  Can I check it remotely?

  It looks like the latest code is now deploying for you. Can you share with me what steps you performed to successfully deploy the project to IIS?

  Save Cancel

  2
• 

  0

  liangshiwei created one year ago

  Support Team Fullstack Developer

  Hi,

  There are the steps:

  • Remove all about Telerik, because I don't have the license
  • Run the DbMigrator to create a database.
  • Use the dotnet publish command to publish the Blazor project and copy the authserver.pfx to the publish folder
  • Create an IIS website and make the IISUSER has read and write permissions to the publish folder

  Save Cancel