Starts in:
0 DAY
11 HRS
36 MIN
48 SEC
Starts in:
0 D
11 H
36 M
48 S
Open Closed

How to install app on IIS, having issues with Cryptography #4845


User avatar
6
christian@extranerds.com created

Dear ABP Support Team,

I am writing to report an issue with installing ABP Framework version v7.0.1 on IIS with UI type Blazor and DB provider EF Core.

When attempting to install the application on IIS, I am encountering the following error:

"Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs: [01:40:16 INF] Starting web host. [01:40:17 FTL] Host terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: Access is denied. at System.Security.Cryptography.X509Certificates.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject) at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate() at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action1 optionsAction) at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38"

It seems that the error is related to a "System.Security.Cryptography.CryptographicException: Access is denied" exception. I have tried to install a self-signed certificate on IIS, and I have also played with several configurations, but I still encounter the same error.

I have tried

     PreConfigure<OpenIddictBuilder>(builder =>
        {
            builder.AddValidation(options =>
            {
                 options.AddAudiences("EnergyTools");
                  options.UseLocalServer();
                  options.UseAspNetCore();            
            });`

Also

builder.AddServer(options =>
{
    options.AddDevelopmentEncryptionCertificate()
           .AddDevelopmentSigningCertificate();
});

and many others with no luck. `

Could you please provide me with instructions on how to properly install this application on IIS?

Thank you for your help.

Best regards,

Christian Rios


13 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can check this:

    https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error

  • User Avatar
    1
    christian@extranerds.com created

    Hi,

    You can check this:

    https://support.abp.io/QA/Questions/4791/Publish-single-project-app-Net-Core-ABP-701-to-shared-hosting-get-50030-error

    Per previous instructions, I ran dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED created a certificate and added it to root C:\inetpub\wwwroot\

    I also added to this code

    
        public override void PreConfigureServices(ServiceConfigurationContext context)
        {
            context.Services.PreConfigure<AbpMvcDataAnnotationsLocalizationOptions>(options =>
            {
                options.AddAssemblyResource(
                    typeof(EnergyToolsResource),
                    typeof(EnergyToolsDomainModule).Assembly,
                    typeof(EnergyToolsDomainSharedModule).Assembly,
                    typeof(EnergyToolsApplicationModule).Assembly,
                    typeof(EnergyToolsApplicationContractsModule).Assembly,
                    typeof(EnergyToolsBlazorModule).Assembly
                );
            });
    
            PreConfigure<OpenIddictBuilder>(builder =>
            {
                builder.AddValidation(options =>
                {
                    options.AddAudiences("EnergyTools");
                    options.UseLocalServer();
                    options.UseAspNetCore();
                });
            });
    
            var hostingEnvironment = context.Services.GetHostingEnvironment();
            var configuration = context.Services.GetConfiguration();
    
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });
    
            PreConfigure<OpenIddictServerBuilder>(builder =>
            {
                builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));
            });
        }
    
        private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, Microsoft.Extensions.Configuration.IConfiguration configuration)
        {
            var fileName = "authserver.pfx";
            var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED";
            var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
    
            if (!File.Exists(file))
            {
                throw new FileNotFoundException($"Signing Certificate couldn't found: {file}");
            }
    
            return new X509Certificate2(file, passPhrase);
        }
    

    But I still get the following exception.

    Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs: [15:24:29 INF] Starting web host. [15:24:31 FTL] Host terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 171 at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 128 at Volo.Abp.Options.PreConfigureActionList1.Configure(TOptions options) at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction) at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    The system cannot find the file specified.

    See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

  • User Avatar
    1
    christian@extranerds.com created

    The system cannot find the file specified.

    See: https://stackoverflow.com/questions/17840825/cryptographicexception-was-unhandled-system-cannot-find-the-specified-file

    I tried setting the user Load User Profile to true and started getting this exception

    Application '/LM/W3SVC/1/ROOT' with physical root 'C:\inetpub\wwwroot\' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs:
    [01:59:34 INF] Starting web host.
    [01:59:35 FTL] Host terminated unexpectedly!
    Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
     ---> System.UriFormatException: Invalid URI: The URI is empty.
       at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
       at System.Uri..ctor(String uriString)
       at ExtraNerds.EnergyTools.Blazor.EnergyToolsBlazorModule.<>c__DisplayClass0_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\EnergyToolsBlazorModule.cs:line 131
       at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)
       at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options)
       at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.&lt;&gt;c__DisplayClass1_0.&lt;AddOpenIddictServer&gt;b__0(OpenIddictServerBuilder builder)
       at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
       at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
       at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
       at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
       at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
       --- End of inner exception stack trace ---
       at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
       at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
       at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
       at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
       at ExtraNerds.EnergyTools.Blazor.Program.Main(String[] args) in D:\projects\ExtraNerds.EnergyTools\src\ExtraNerds.EnergyTools.Blazor\Program.cs:line 38
    

    which refers to this line

    builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));

    so I added to my appsettings.json

    "AuthServer": {
      "Authority": "https://localhost:44322",
      "RequireHttpsMetadata": "true",
      "ClientId": "MyProjectName_Web",
      "ClientSecret": "1q2w3e*"
    },
    

    before that I tried just adding new Uri("https://localhost")

    but then, now I dont even get an HTTP Error 500.30 - ASP.NET Core app failed to start with an exception in Event Viewer.

    I just get a page with This page isn’t working right nowlocalhost can't currently handle this request. HTTP ERROR 500 and a refresh button

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I can't reproduce the problem, can you share a project that can reproduce this problem with me? shiwei.liang@volosoft.com thanks

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I can't reproduce the problem with the project you provided.

    Can I check it remotely?

  • User Avatar
    1
    ageiter created

    I have the same error message with my deployment on Azure.

    First the certificate was not in the correct directory and I got the error message: System.IO.FileNotFoundException: Signing certificate couldn't found: C:\home\site\wwwroot\authserver-signing-certificate.pfx

    Then I copied it to the root directory of the Blazor project and so it was found, but then the error message came: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

    The error happens here: new X509Certificate2(file, passPhrase);

    Can it be that it has to do with some missing permissions?

    I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi, @ageiter

    I don't think "Load User Profile" solves the real problem, but is just a workaround to get around the whole certificate thing. Because with this flag set, it also works with the development certificates (i.e. without the pfx files).

    The app templates provide the most basic way.

    The best place to store your certificates will depend on your host:

    • For IIS applications, storing the certificates in the machine store is the recommended option.
    • On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

    Some useful links

    • https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied
    • https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
    • https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-certificate-recommended-for-production-ready-scenarios
  • User Avatar
    0
    ageiter created

    On Azure, certificates can be uploaded and exposed to Azure App Service applications using the special WEBSITE_LOAD_CERTIFICATES flag. For more information, visit Use a TLS/SSL certificate in your code in Azure App Service.

    Unfortunately, this is not possible if the AppService is running in the App Service plan "Free". And "Load User Profile" is not applicable in this mode either. That's why I wanted to read the certificates when they are simply in wwwroot.

    Is there any other way to run the ABP app on Azure in App Service plan "Free"? I don't want to spend a lot of money for my test sites yet.

  • User Avatar
    1
    liangshiwei created
    Support Team Fullstack Developer

    @ageiter

    You can use the ephemeral key for testing: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-an-ephemeral-key

    PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
    {
        options.AddDevelopmentEncryptionAndSigningCertificate = false;
    });
    
    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder.AddEphemeralEncryptionKey();
        builder.AddEphemeralSigningKey();
    });
    

    BTW, I recommend you to read this document: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html

  • User Avatar
    0
    ageiter created

    That works, thank you @liangshiwei!

  • User Avatar
    2
    christian@extranerds.com created

    Hi,

    I can't reproduce the problem with the project you provided.

    Can I check it remotely?

    It looks like the latest code is now deploying for you. Can you share with me what steps you performed to successfully deploy the project to IIS?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    There are the steps:

    • Remove all about Telerik, because I don't have the license
    • Run the DbMigrator to create a database.
    • Use the dotnet publish command to publish the Blazor project and copy the authserver.pfx to the publish folder
    • Create an IIS website and make the IISUSER has read and write permissions to the publish folder
Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06