Open Closed

Missing AuthServer.pfx when deployed to Azure #5446


User avatar
0
darutter created
  • ABP Framework version: v7.3.0

  • UI type: MVC

  • DB provider: EF Core

  • Tiered (MVC) or Identity Server Separated (Angular): no

  • Exception message and stack trace:

  • Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.3.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.IO.FileNotFoundException: Signing Certificate couldn't found: C:\home\site\wwwroot\authserver.pfx at BCFOAssistant.Web.BCFOAssistantWebModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 365

  • Steps to reproduce the issue:

  • Create App Service web site on Azure

  • Deploy web app to Azure

  • Attempt to run site

  • Receive error

I generated the authserver.pfx file and uploaded it to azure. When I did it asked me to install and I did. However the web app still fails with the same error.

I've looked at other things that talk about creating the .pfx file and have done that. None of the documentation seems to match when it comes to configuring my app to use/recognize the certificate. It would be helpful to get some clear documentation on complete steps to get the certificate(s) installed on Azure and the app configured to use them.


15 Answer(s)
  • User Avatar
    0
    nlachmuthDev created

    You might want to checkout this: https://codejack.com/2022/12/deploying-abp-io-to-an-azure-appservice/

    There are detailed explanations for configuring your application for azure app services.

    Please let me know if this helps you.

  • User Avatar
    0
    darutter created

    I followed the instructions in the link that you provided but now I am getting the following error:

    Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.3.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: The specified network password is not correct. at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at BCFOAssistant.Web.BCFOAssistantWebModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 372 at BCFOAssistant.Web.BCFOAssistantWebModule.<>c__DisplayClass1_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 123 at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)

  • User Avatar
    0
    darutter created

    The documentation that was referenced was for version 6.x of abp and required the addition of code to the <projname>WebModule.cs file. In version 7.3.0, the <projname>WebModule.cs file already has the template code in place looking for the authserv.pfx file, but it throws an exception if the .pfx file doesn't exist. One of the "answers" to the problem was to generate the file if it doesn't exist. I did that and that got me to where I am now (invalid network password). Looking for answers on how resolve this indicates I should be using a TripleDES-SHA1 encryption but the constructor for the CertificateRequest requires a RSA-SHA256 encryption. Other suggestions were to not supply a passphrase in the generation of the X509Certificate2. None of these suggestions have resolved my problem.

    Abp needs to provide some clear solutions to deploying this new authentication mechanism to Azure that actually works. PLEASE HELP!

  • User Avatar
    0
    nlachmuthDev created

    I was able to deploy a fresh abp mvc (non-tiered) application to an azure web app using the following steps (https://abpazuretest.azurewebsites.net/#):

    1. Create the authserver.pfx using the following command (if you want to use another password, you need to change the code in the YourPrjNameWebModule: dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED
    2. Place the generated pfx file inside YourProject.Web-Project
    3. Ensure the generated pfx is copied as content by adding the following to the csproj-File of the YourProject.Web-Project:

    These steps are extracted from the official abp documentation for configuring OpenIdDict: https://docs.abp.io/en/abp/latest/Deployment/Configuring-OpenIddict

  • User Avatar
    0
    darutter created

    I am really at a loss here. I created the .pfx file as specified and made sure the passCode used is the one that is in the app. The file is flagged as being a content file that is to be copied always and the file does show up on Azure in the site/wwwroot folder. The application still will not start correctly, again stating that "the system cannot find the file specified". The line that is throwing the exception is: return new X509Certificate2(file, passPhrase); which only gets executed if the test "if(File.Exists(file))" passes. So the file exists and it is the one that was generated using the dotnet generated code.

  • User Avatar
    0
    nlachmuthDev created

    Hey, make sure the file is located in the content root. Not in the applications wwwroot. As you see in the screenshot of my example apps kudo browser.

    Some other questions that might help me to find a solution for you:

    1. What OS do you use for your azure web app?
    2. How do you deploy the web app to azure?
    3. How is the stack configuration for your web app?
      • Mine looks the following:
  • User Avatar
    0
    darutter created

    My authserver.pfx file is in the same location as yours. Microsoft setup my web app on Microsoft Windows NT 10.0.14393.0. As you can see in the screenshot, it is a 32 bit environment. I am running on a Shared (D1) development instance.

    I deploy by downloading the publish profile from Azure and use the Web Deploy option.

  • User Avatar
    0
    nlachmuthDev created

    Could you show me the path settings?

    Also you might could try to switch to a linux app service, if that would be an option for you.

  • User Avatar
    0
    darutter created

    I tried to deploy it to a Linux instance and it failed.

  • User Avatar
    0
    nlachmuthDev created

    Ok i found out that the issue is only related to windows app services. Can reproduce it on a fresh f1 windows app service. You could try to add an application setting entry "WEBSITE_LOAD_USER_PROFILE" with the value 1 to your app service.

    Here is the stackoverflow question i found in regards to azure web apps and x509 certs: https://stackoverflow.com/questions/66367406/cngkey-system-security-cryptography-cryptographicexception-the-system-cannot-fin

    If the WEBSITE_LOAD_USER_PROFILE still not works you could try setting WEBSITE_LOAD_CERTIFICATES to some random value. There where some comments that this would only work for non shared web apps.

    For the f1 plan i used to test it, this stackoverflow was really helpful: https://stackoverflow.com/questions/9951729/x509certificate-constructor-exception/10048789#10048789

    Long story short, adding the MachineKeySet-StoreFlag to the constructor of the cert should fix the issue for you:

     private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration)
        {
            var fileName = "authserver.pfx";
            var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED";
            var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
    
            if (!File.Exists(file))
            {
                throw new FileNotFoundException($"Signing Certificate couldn't found: {file}");
            }
    
            return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet);
        }
    
  • User Avatar
    0
    darutter created

    I upgraded the Azure web service to a non-shared resource, added the variable WEBSITE_LOAD_CERTIFICATES= 1 to the Azure instance and tried it without adding the MachineKeySet parameter to the X509Certificate constructor. That did not make any difference in the problem. I then added the MachinKeySet parameter and re-deployed. Now I'm back to the error "The specified network password is incorrect."

    I even regenerated the authserver.pfx file and ensured that one is the one that is on the Azure site. Still no luck getting a site to function.

  • User Avatar
    0
    nlachmuthDev created

    Try it with also setting the variable WEBSITE_LOAD_USER_PROFILE=1.

    If this still not works we can make a meeting so i can have a deep look into your project and the azure web service.

  • User Avatar
    0
    darutter created

    That didn't work so if we can setup a meeting and get your help I'd appreciate it.

  • User Avatar
    0
    nlachmuthDev created

    Ok send me an invitation of to a zoom/teams/google meet call when you have time. Here is my e-mail: nico@chrobyte.de

    Please send the invitation +- 30 mins before start, so there is some puffer for me. Thanks :)

  • User Avatar
    0
    nlachmuthDev created

    The customer made the following changes that resulted into the app starting now in azure:

    • the first was the change to include the call to the AddEncryptionCertificate
    • the second was I had failed to change the URLs for the SelfURL and Authority settings in the appsettings.production.json file.
Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09