How to install app on IIS, having issues with Cryptography #4845 | Support

christian@extranerds.com created one year ago

Dear ABP Support Team,

I am writing to report an issue with installing ABP Framework version v7.0.1 on IIS with UI type Blazor and DB provider EF Core.

When attempting to install the application on IIS, I am encountering the following error:

"Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs: [01:40:16 INF] Starting web host. [01:40:17 FTL] Host terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: Access is denied. at System.Security.Cryptography.X509Certificates.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate() at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action1 optionsAction) at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38"

It seems that the error is related to a "System.Security.Cryptography.CryptographicException: Access is denied" exception. I have tried to install a self-signed certificate on IIS, and I have also played with several configurations, but I still encounter the same error.

I have tried

     PreConfigure<OpenIddictBuilder>(builder =>
        {
            builder.AddValidation(options =>
            {
                 options.AddAudiences("EnergyTools");
                  options.UseLocalServer();
                  options.UseAspNetCore();            
            });`

Also

builder.AddServer(options =>
{
    options.AddDevelopmentEncryptionCertificate()
           .AddDevelopmentSigningCertificate();
});

and many others with no luck. `

Could you please provide me with instructions on how to properly install this application on IIS?

Thank you for your help.

Best regards,

Christian Rios

13 Answer(s)

0

liangshiwei created one year ago
Support Team Fullstack Developer

Hi,

You can check this:

https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error
1
christian@extranerds.com created one year ago
Hi,

You can check this:

https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error

Per previous instructions, I ran dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED created a certificate and added it to root C:\inetpub\wwwroot\

I also added to this code

public override void PreConfigureServices(ServiceConfigurationContext context) { context.Services.PreConfigure<AbpMvcDataAnnotationsLocalizationOptions>(options => { options.AddAssemblyResource( typeof(EnergyToolsResource), typeof(EnergyToolsDomainModule).Assembly, typeof(EnergyToolsDomainSharedModule).Assembly, typeof(EnergyToolsApplicationModule).Assembly, typeof(EnergyToolsApplicationContractsModule).Assembly, typeof(EnergyToolsBlazorModule).Assembly ); }); PreConfigure<OpenIddictBuilder>(builder => { builder.AddValidation(options => { options.AddAudiences("EnergyTools"); options.UseLocalServer(); options.UseAspNetCore(); }); }); var hostingEnvironment = context.Services.GetHostingEnvironment(); var configuration = context.Services.GetConfiguration(); PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; }); PreConfigure<OpenIddictServerBuilder>(builder => { builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration)); builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration)); builder.SetIssuer(new Uri(configuration["AuthServer:Authority"])); }); } private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, Microsoft.Extensions.Configuration.IConfiguration configuration) { var fileName = "authserver.pfx"; var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED"; var file = Path.Combine(hostingEnv.ContentRootPath, fileName); if (!File.Exists(file)) { throw new FileNotFoundException($"Signing Certificate couldn't found: {file}"); } return new X509Certificate2(file, passPhrase); }

But I still get the following exception.

Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs: [15:24:29 INF] Starting web host. [15:24:31 FTL] Host terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 171 at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 128 at Volo.Abp.Options.PreConfigureActionList1.Configure(TOptions options) at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction) at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38
0

liangshiwei created one year ago
Support Team Fullstack Developer

The system cannot find the file specified.

See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

christian@extranerds.com created one year ago

The system cannot find the file specified.

See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

I tried setting the user Load User Profile to true and started getting this exception

Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot\' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs:
[01:59:34 INF] Starting web host.
[01:59:35 FTL] Host terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> System.UriFormatException: Invalid URI: The URI is empty.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
   at System.Uri..ctor(String uriString)
   at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 131
   at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.&lt;&gt;c__DisplayClass1_0.&lt;AddOpenIddictServer&gt;b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   --- End of inner exception stack trace ---
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
   at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38

which refers to this line

builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));

so I added to my appsettings.json

"AuthServer": {
  "Authority": "https://localhost:44322",
  "RequireHttpsMetadata": "true",
  "ClientId": "MyProjectName_Web",
  "ClientSecret": "1q2w3e*"
},

before that I tried just adding new Uri("https://localhost")

but then, now I dont even get an HTTP Error 500.30 - ASP.NET Core app failed to start with an exception in Event Viewer.

I just get a page with This page isn’t working right nowlocalhost can't currently handle this request. HTTP ERROR 500 and a refresh button

0

liangshiwei created one year ago
Support Team Fullstack Developer

Hi,

I can't reproduce the problem, can you share a project that can reproduce this problem with me? shiwei.liang@volosoft.com thanks
0

liangshiwei created one year ago
Support Team Fullstack Developer

Hi,

I can't reproduce the problem with the project you provided.

Can I check it remotely?
1

ageiter created one year ago

I have the same error message with my deployment on Azure.

First the certificate was not in the correct directory and I got the error message: System.IO.FileNotFoundException: Signing certificate couldn't found: C:\home\site\wwwroot\authserver-signing-certificate.pfx

Then I copied it to the root directory of the Blazor project and so it was found, but then the error message came: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

The error happens here: new X509Certificate2(file, passPhrase);

Can it be that it has to do with some missing permissions?

I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).
0
liangshiwei created one year ago
Support Team Fullstack Developer
Hi, @ageiter

I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).

The app templates provide the most basic way.

The best place to store your certificates will depend on your host:

For IIS applications, storing the certificates in the machine store is the recommended option.

On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

Some useful links

https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code

https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-certificate-recommended-for-production-ready-scenarios
0

ageiter created one year ago

On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

Unfortunately, this is not possible if the AppService is running in the App Service plan "Free". And "Load User Profile" is not applicable in this mode either. That's why I wanted to read the certificates when they are simply in wwwroot.

Is there any other way to run the ABP app on Azure in App Service plan "Free"? I don't want to spend a lot of money for my test sites yet.
1
liangshiwei created one year ago
Support Team Fullstack Developer
@ageiter

You can use the ephemeral key for testing: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-an-ephemeral-key

PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; }); PreConfigure<OpenIddictServerBuilder>(builder => { builder.AddEphemeralEncryptionKey(); builder.AddEphemeralSigningKey(); });

BTW, I recommend you to read this document: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
0

ageiter created one year ago

That works, thank you @liangshiwei!
2

christian@extranerds.com created one year ago

Hi,

I can't reproduce the problem with the project you provided.

Can I check it remotely?

It looks like the latest code is now deploying for you. Can you share with me what steps you performed to successfully deploy the project to IIS?

2
0
liangshiwei created one year ago
Support Team Fullstack Developer
Hi,

There are the steps:

Remove all about Telerik, because I don't have the license

Run the DbMigrator to create a database.

Use the dotnet publish command to publish the Blazor project and copy the authserver.pfx to the publish folder

Create an IIS website and make the IISUSER has read and write permissions to the publish folder

Have an answer to this question? Log in and write your answer.