Open Closed

OpenID configuration for Azure Application Service problem #6251


User avatar
0
treggon@gmail.com created
  • ABP Framework version: v7.3.3
  • UI Type: Blazor Server
  • Database System:SQL Server on Azure
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace: This page isn’t working
  • Steps to reproduce the issue: Publish an app to Azure App Service and try to login using OpenID Example.... https://app.juriseconomics.com/Account/Login is not working as the certificate is not loading correctly.
    I have been following the OpenID information that I found on their website directly: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-certificate-recommended-for-production-ready-scenarios and have followed some of the tutorials https://brianmeeker.me/2022/08/29/setting-up-abp-with-openiddict-on-azure-app-services/

And I had it working for a long time, but something I am doing is now wrong. It works fine locally with the development certificates on localhost, but when I publish, anything that requires the MultiTenancy basically will fail, so I have a fallback page. Here is a screenshot of the comma delaminated list of certs to load in configuration.

`if (hostingEnvironment.IsProduction()) { PreConfigure

});

PreConfigure<OpenIddictServerBuilder>(builder =>
{
    // Load from Thumprint

    var SigningCert = GetSigningCertificate(hostingEnvironment, configuration, configuration["AuthServer:SigningCertificateThumbprint"]);
    var EncryptionCert = GetEncryptionCertificate(hostingEnvironment, configuration, configuration["AuthServer:EncryptionCertificateThumbprint"]);

    builder.AddSigningCertificate(SigningCert);
    builder.AddEncryptionCertificate(EncryptionCert);

    // Load from files
    //builder.AddSigningCertificate(LoadCertificate(configuration["AuthServer:SigningCertificateThumbprint"]));
    //builder.AddEncryptionCertificate(LoadCertificate(configuration["AuthServer:EncryptionCertificateThumbprint"]));

    builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));

});

}This is the code I used to generate the certs that were uploaded. public void CreateEncryptionCert() { using var algorithm = RSA.Create(keySizeInBits: 2048);

        var subject = new X500DistinguishedName("CN=app.juriseconomics.com");
        var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
        request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));

        var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));

        System.IO.File.WriteAllBytes("wwwroot/encryption-certificate.pfx", certificate.Export(X509ContentType.Pfx, "XXXX"));
}

public void CreateSigningCert()
{
    using var algorithm = RSA.Create(keySizeInBits: 2048);

    var subject = new X500DistinguishedName("CN=app.juriseconomics.com");
    var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
    request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));

    var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));

    System.IO.File.WriteAllBytes("wwwroot/signing-certificate.pfx", certificate.Export(X509ContentType.Pfx, "XXXX"));
}`

The following is code that I used to get the certs.... private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration, string thumbprint) {

   using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
   {
       certStore.Open(OpenFlags.ReadOnly);
       string certThumbprint = thumbprint; //  7D690FBABD5DE6246422E81836D16B22CF57D49F,98CEE0FD7F6ACD62C7C81784EDE5E78F86A83F1C,400B611BC5CF693DACAB6ABACE21DD31790D4A90,2EB0F42C5107C4E8C07BD6CE4D53F853F03AADA1
       bool validOnly = false;
       X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                   X509FindType.FindByThumbprint,
                                   // Replace below with your certificate's thumbprint
                                   certThumbprint,
                                   validOnly);
       // Get the first cert with the thumbprint
       X509Certificate2 cert = certCollection.OfType&lt;X509Certificate2&gt;().FirstOrDefault();

       if (cert is null)
           throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");

       // Use certificate
       Console.WriteLine(cert.FriendlyName);

       // Consider to call Dispose() on the certificate after it's being used, available in .NET 4.6 and later

       return cert;
   }

} private X509Certificate2 GetEncryptionCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration, string thumbprint) {

   using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
   {
       certStore.Open(OpenFlags.ReadOnly);
       string certThumbprint = thumbprint; //  7D690FBABD5DE6246422E81836D16B22CF57D49F,98CEE0FD7F6ACD62C7C81784EDE5E78F86A83F1C,400B611BC5CF693DACAB6ABACE21DD31790D4A90,2EB0F42C5107C4E8C07BD6CE4D53F853F03AADA1
       bool validOnly = false;
       X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                   X509FindType.FindByThumbprint,
                                   // Replace below with your certificate's thumbprint
                                   certThumbprint,
                                   validOnly);
       // Get the first cert with the thumbprint
       X509Certificate2 cert = certCollection.OfType&lt;X509Certificate2&gt;().FirstOrDefault();

       if (cert is null)
           throw new Exception($"Certificate with thumbprint {certThumbprint} was not found");

       // Use certificate
       Console.WriteLine(cert.FriendlyName);

       // Consider to call Dispose() on the certificate after it's being used, available in .NET 4.6 and later

       return cert;
   }

}

HELP!


10 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Hi,

    Share the application logs please.

  • User Avatar
    0
    treggon@gmail.com created

    I pulled this from the Application log. This is what is shown in the logs when I load that page. Seems like its just not loading the cert using the thumbprint, but I don't understand.

    `2023-11-28T17:57:00 Welcome, you are now connected to log-streaming service. The default timeout is 2 hours. Change the timeout with the App Setting SCM_LOGSTREAM_TIMEOUT (in seconds).

    HTTP Error 500.0 - Internal Server Error

    The page cannot be displayed because an internal server error has occurred.

    Most likely causes:

    • IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.
    • IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.
    • IIS was not able to process configuration for the Web site or application.
    • The authenticated user does not have permission to use this DLL.
    • The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.

    Things you can try:

    • Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.
    • Check the event logs to see if any additional information was logged.
    • Verify the permissions for the DLL.
    • Install the .NET Extensibility feature if the request is mapped to a managed handler.
    • Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.

    Detailed Error Information:

    Module   AspNetCoreModuleV2
    Notification   ExecuteRequestHandler
    Handler   aspNetCore
    Error Code   0x00000000
    Requested URL   https://litimation__bff1:80/Account/Login
    Physical Path   C:\home\site\wwwroot\Account\Login
    Logon Method   Anonymous
    Logon User   Anonymous

    More Information:

    This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.

    View more information »

    Microsoft Knowledge Base Articles:

    `
  • User Avatar
    0
    treggon@gmail.com created

    Its got the super useful error code of 0x00 The rest of the site works with the application certificate but those don't have a thumbprint, this is just with OpenID certs Signing and Encryption.

  • User Avatar
    0
    treggon@gmail.com created

    Whereas the rest of the site is working fine and is loading a cert.... the OpenID is failing I am guessing, and the certs are not there.... or else I am not understanding.

  • User Avatar
    0
    treggon@gmail.com created

    using a dev cert it is working locally fine:

  • User Avatar
    0
    treggon@gmail.com created

    On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service. Where I got the code to load the cert. Where I got the code to load the cert.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    You are confusing HTTP certificate and Signing&Encryption certificate (https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html)

    Also see: https://docs.abp.io/en/abp/latest/Deployment/Configuring-OpenIddict

  • User Avatar
    0
    treggon@gmail.com created

    You are confusing HTTP certificate and Signing&Encryption certificate (https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html)

    Also see: https://docs.abp.io/en/abp/latest/Deployment/Configuring-OpenIddict

    I am not confused, I am just pointing out the different certs I am using and wondering how to fix this.

  • User Avatar
    0
    treggon@gmail.com created

    You are confusing HTTP certificate and Signing&Encryption certificate (https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html)

    Also see: https://docs.abp.io/en/abp/latest/Deployment/Configuring-OpenIddict

    I would think that with all the context I provided I would have got something better than, you are confused. We are currently also evaluating another year of license or to switch. This is our first question this year.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi treggon

    Can you share the app logs(logs.txt) of this 500 error? You can write logs to logs.txt and then share it.

    For the SSL problem you can refer to https://docs.abp.io/en/abp/8.0/Deployment/SSL

    But let us check the logs first.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11