Openiddict certificate not found #7680

inavarro.cp created one year ago

In the github Actions logs, the certificate is generated correctly, the problem is a routing issue that the ABP code cannot locate the generated certificate.

This is the GitHubActions code:

name: Deploy all webapps in pre environment.
on:
  push:
    branches:
      - development

  workflow_dispatch:

env:
  ASPNETCORE_ENVIRONMENT: Staging
  AbpLicenseCode: ${{ secrets.ABP_COMMERCIAL_LICENSE }}

jobs:
  Deploy_Apps:

    runs-on: ubuntu-latest

    env:
      DOTNET_ROOT: /home/runner/.dotnet

    steps:
    - uses: actions/checkout@v2

    # notify on each build event like starting and finishing a build
    - uses: toko-bifrost/ms-teams-deploy-card@master
      if: always()
      with:
        github-token: ${{ github.token }}
        webhook-uri: ${{ secrets.MICROSOFT_TEAMS_WEBHOOK_URI }}

    - name: Setup .NET Core SDK
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: '6.0.x'

    - name: Install ABP CLI
      run: dotnet tool install -g Volo.Abp.Cli --version 6.0.1

    - name: Install ABP libs
      run: abp install-libs

    - name: Az CLI login
      id: az_login
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Prepare Migrations
      run: cd src/Cincaporc.WebApp.DbMigrator && dotnet publish -c Release && cd

    - name: Run Migrations
      run: cd src/Cincaporc.WebApp.DbMigrator && dotnet bin/Release/net6.0/publish/Cincaporc.WebApp.DbMigrator.dll --Environment Staging --configuration Release && cd
      
    - name: Publish CincaPorc WebApp.Auth.Server.
      run: dotnet publish --configuration Release --output WebApp.Auth.Server src/Cincaporc.WebApp.AuthServer/Cincaporc.WebApp.AuthServer.csproj

    - name: Generate openiddict.pfx
      run: dotnet dev-certs https -v -ep ${{env.DOTNET_ROOT}}/Cincaporc.WebApp.AuthServer/openiddict.pfx -p 00000000-0000-0000-0000-000000000000

    - name: Deploy APP WebApp.Auth.Server
      uses: azure/webapps-deploy@v2.2.3
      with:
        app-name: extranetIdentity-dev
        package: WebApp.Auth.Server

    - name: Publish CincaPorc WebApp.HttpApi.Host.
      run: dotnet publish --configuration Release --output WebApp.HttpApi.Host src/Cincaporc.WebApp.HttpApi.Host/Cincaporc.WebApp.HttpApi.Host.csproj

    - name: Deploy APP WebApp.HttpApi.Host
      uses: azure/webapps-deploy@v2.2.3
      with:
        app-name: extranetappapi-dev
        package: WebApp.HttpApi.Host

    - name: Publish CincaPorc WebApp.Web.
      run: dotnet publish --configuration Release --output WebApp.Web src/Cincaporc.WebApp.Web/Cincaporc.WebApp.Web.csproj

    - name: Deploy APP WebApp
      uses: azure/webapps-deploy@v2.2.3
      with:
        app-name: extranetapp-dev
        package: WebApp.Web

    - name: Publish CincaPorc WebApp.Web.Public.
      run: dotnet publish --configuration Release --output WebApp.Web.Public src/Cincaporc.WebApp.Web.Public/Cincaporc.WebApp.Web.Public.csproj

    - name: Deploy APP WebApp.Web.Public
      uses: azure/webapps-deploy@v2.2.3
      with:
        app-name: IntegradosApp-dev
        package: WebApp.Web.Public
      
    - name: Az Logout.
      if: ${{ always() && steps.az_login.conclusion == 'success' }}
      run: |
        az logout
        az cache purge
        az account clear

We have followed the example of the official documentation: https://abp.io/docs/latest/deployment/configuring-openiddict

This is the code that we have added to the ABP project:

using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;

namespace Microsoft.Extensions.DependencyInjection;

public static class OpenIddictServerBuilderExtensions
{
    public static OpenIddictServerBuilder AddProductionEncryptionAndSigningCertificate(this OpenIddictServerBuilder builder, string fileName, string passPhrase)
    {
        if (!File.Exists(fileName))
        {
            throw new FileNotFoundException($"Signing Certificate couldn't found: {fileName}");
        }

        var certificate = new X509Certificate2(fileName, passPhrase);
        builder.AddSigningCertificate(certificate);
        builder.AddEncryptionCertificate(certificate);
        return builder;
    }
}

maliming created one year ago

Support Team Fullstack Developer

, the problem is a routing issue that the ABP code cannot locate the generated certificate.

What is this mean? do you have any error logs?

inavarro.cp created one year ago

These are the logs generated by the Identity:

Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> System.IO.FileNotFoundException: Signing Certificate couldn't found: openiddict.pfx
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilderExtensions.AddProductionEncryptionAndSigningCertificate(OpenIddictServerBuilder builder, String fileName, String passPhrase) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/OpenIddictServerBuilderExtensions.cs:line 13
   at Cincaporc.WebApp.WebAppAuthServerModule.<>c__DisplayClass0_0.<PreConfigureServices>b__2(OpenIddictServerBuilder serverBuilder) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/WebAppAuthServerModule.cs:line 96
   at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.&lt;&gt;c__DisplayClass1_0.&lt;AddOpenIddictServer&gt;b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()

These are the logs generated by the GitHubActions:

Run dotnet dev-certs https -v -ep /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx -p 00000000-0000-0000-0000-000000000000
  
[1] Listing certificates from CurrentUser\My
[2] Found certificates: 1 certificate
    1) 85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
[3] Checking certificates validity
[4] Valid certificates: 1 certificate
    1) 85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[1] Listing certificates from LocalMachine\My
[7] An error occurred while listing the certificates: System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
 ---> System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.ListCertificates(StoreName storeName, StoreLocation location, Boolean isValid, Boolean requireExportable)
[8] Filtered certificates: 1 certificate
    1) 85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
[9] Excluded certificates: no certificates
[14] Valid certificates: 1 certificate
    1) 85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
[15] Selected certificate: 85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
[23] Saving certificate '85401136598E5431084B7F11E2486FA96A65D658 - CN=localhost - Valid from 2024-08-09 10:24:49Z to 2025-08-09 10:24:49Z - IsHttpsDevelopmentCertificate: true - IsExportable: true' to /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx with private key.
[25] Creating directory /home/runner/.dotnet/Cincaporc.WebApp.AuthServer.
[27] Writing the certificate to: /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx.
A valid HTTPS certificate is already present.
The certificate was exported to /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx

maliming created one year ago

Support Team Fullstack Developer

The certificate was exported to /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx

/home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/OpenIddictServerBuilderExtensions.cs

Can you check the files to make sure the Cincaporc.WebApp.AuthServer project and openiddict.pfx exist in the same folder?

dvillena.cp created one year ago

Inside the Cincaporc.WebApp.AuthServer folder we have the openiddict file.

maliming created one year ago

Support Team Fullstack Developer

I have no idea about this. You can get the pfx file from a virtual file instead of a folder.

https://abp.io/docs/latest/framework/infrastructure/virtual-file-system

dvillena.cp created one year ago

Sorry about what I told you, in githubActions every time we make a pull request we want to create the certificate, right here - name: Generate openiddict.pfx run: dotnet dev-certs https -v -ep ${{env.DOTNET_ROOT}}/Cincaporc.WebApp.AuthServer/openiddict.pfx -p 00000000-0000-0000-0000-000000000000, I don't know how you would put it, but I I have realized that the problem has to be because of the path that I am giving it, because the one I should give is this /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/openiddict.pfx and the one it was giving me is this /home/runner/.dotnet/Cincaporc.WebApp.AuthServer/openiddict.pfx, that's why it didn't tell me that it couldn't find the certificate, in your case how would you present it in a more optimal way.

maliming created one year ago

Support Team Fullstack Developer

So your problem is solved. Right?

dvillena.cp created one year ago

It is not correct to do it as I told you about the route, now I have another problem, when making a pull request in githubaction I get this error message [7] An error occurred while listing the certificates: System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. ---> System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. and at the end of the pull request, the auth logs of the application when I open it, I get this, 2024-08-12 09:19:01.116 +02:00 [INF] [] [] Starting Cincaporc.WebApp.AuthServer. 2024-08-12 09:19:11.875 +02:00 [FTL] [] [] Cincaporc.WebApp.AuthServer terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.IO.FileNotFoundException: Signing Certificate couldn't found: openiddict.pfx at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilderExtensions.AddProductionEncryptionAndSigningCertificate(OpenIddictServerBuilder builder, String fileName, String passPhrase) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/OpenIddictServerBuilderExtensions.cs:line 13 at Cincaporc.WebApp.WebAppAuthServerModule.<>c__DisplayClass0_0.<PreConfigureServices>b__2(OpenIddictServerBuilder serverBuilder) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/WebAppAuthServerModule.cs:line 96 at Volo.Abp.Options.PreConfigureActionList1.Configure(TOptions options) at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction) at Cincaporc.WebApp.Program.Main(String[] args) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/Program.cs:line 55

maliming created one year ago

Support Team Fullstack Developer

Can you invite me to your GitHub repository?

I will check your pipeline code.

dvillena.cp created one year ago

You already have reading permissions to see the repository, I'll give you the link https://github.com/Cincaporc/Cincaporc.WebApp/tree/development, you have to be in the development branch, and you go to github/workFlow.

maliming created one year ago

Support Team Fullstack Developer

Can you try to generate and move the openiddict.pfx file to https://github.com/Cincaporc/Cincaporc.WebApp/tree/development/src/Cincaporc.WebApp.AuthServer and test again?

dvillena.cp created one year ago

Hello, I just ran it with the development branch, and this is what I get in github actions

Run dotnet dev-certs https -v -ep src/Cincaporc.WebApp.AuthServer/openiddict.pfx -p 00000000-0000-0000-0000-000000000000 [1] Listing certificates from CurrentUser\My [2] Found certificates: 1 certificate 1) 45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true [3] Checking certificates validity [4] Valid certificates: 1 certificate 1) 45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true [5] Invalid certificates: no certificates [6] Finished listing certificates. [1] Listing certificates from LocalMachine\My [7] An error occurred while listing the certificates: System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. ---> System.PlatformNotSupportedException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores. --- End of inner exception stack trace --- at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.ListCertificates(StoreName storeName, StoreLocation location, Boolean isValid, Boolean requireExportable) [8] Filtered certificates: 1 certificate 1) 45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true [9] Excluded certificates: no certificates [14] Valid certificates: 1 certificate 1) 45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true [15] Selected certificate: 45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true [23] Saving certificate '45A52275A11B619AF8F44193C557B30DCEA9DAAD - CN=localhost - Valid from 2024-08-12 09:11:20Z to 2025-08-12 09:11:20Z - IsHttpsDevelopmentCertificate: true - IsExportable: true' to src/Cincaporc.WebApp.AuthServer/openiddict.pfx with private key. [25] Creating directory src/Cincaporc.WebApp.AuthServer. [27] Writing the certificate to: src/Cincaporc.WebApp.AuthServer/openiddict.pfx. A valid HTTPS certificate is already present. The certificate was exported to /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/openiddict.pfx

maliming created one year ago

Support Team Fullstack Developer

You can generate the openiddict.pfx in your local computer, and copy it to your https://github.com/Cincaporc/Cincaporc.WebApp/tree/development/src/Cincaporc.WebApp.AuthServer

in this way you don't need to generate the pfx in your pipeline.

dvillena.cp created one year ago

I just did it, and I still get an error, when I enter the logs in azure development, I get this error

2024-08-12 12:03:25.939 +02:00 [INF] [] [] Starting Cincaporc.WebApp.AuthServer. 2024-08-12 12:03:30.397 +02:00 [FTL] [] [] Cincaporc.WebApp.AuthServer terminated unexpectedly! Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.ArgumentNullException: Value cannot be null. (Parameter 'uriString') at System.Uri..ctor(String uriString) at Cincaporc.WebApp.WebAppAuthServerModule.<>c__DisplayClass0_0.<PreConfigureServices>b__2(OpenIddictServerBuilder serverBuilder) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/WebAppAuthServerModule.cs:line 97 at Volo.Abp.Options.PreConfigureActionList1.Configure(TOptions options) at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() --- End of inner exception stack trace --- at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction) at Cincaporc.WebApp.Program.Main(String[] args) in /home/runner/work/Cincaporc.WebApp/Cincaporc.WebApp/src/Cincaporc.WebApp.AuthServer/Program.cs:line 55

I think that this part of code ---> System.ArgumentNullException: Value cannot be null. (Parameter 'uriString') at System.Uri..ctor(String uriString) is the problem

dvillena.cp created one year ago

I'll show you how I have it configured in the code.



public override void PreConfigureServices(ServiceConfigurationContext context)
{
    var hostingEnvironment = context.Services.GetHostingEnvironment();
    var configuration = context.Services.GetConfiguration();

    PreConfigure&lt;OpenIddictBuilder&gt;(builder =>
    {
        builder.AddValidation(options =>
        {
            options.AddAudiences("WebApp");
            options.UseLocalServer();
            options.UseAspNetCore();
        });
    });
    /*
    * This configuration is used when the AuthServer is running on docker containers at localhost.
    * Configuring the redirectin URLs for internal network and the web
    */
    if (!hostingEnvironment.IsDevelopment())
        {
        PreConfigure&lt;AbpOpenIddictAspNetCoreOptions&gt;(options =>
        {
            options.AddDevelopmentEncryptionAndSigningCertificate = false;
        });

        PreConfigure&lt;OpenIddictServerBuilder&gt;(serverBuilder =>
        {
            serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "00000000-0000-0000-0000-000000000000");
            serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
        });
    }
}