BLACK FRIDAY
From November 21
to December 02
99Days : 99Hrs : 99Min : 99Sec
SAVE UP TO$3K
Also valid for the
existing customers!
Open Closed

OpenIddict WindowsCryptographicException: Access is denied #3537


1
Frontis2 created
  • ABP Framework version: v6.0.0-rc.1
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
Application '/LM/W3SVC/2/ROOT' with physical root 'D:\Domains\abp_beheer\httpdocs\' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs:
[14:14:52 INF] Starting web host.
[14:14:53 FTL] Host terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   --- End of inner exception stack trace ---
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
   at ABP_Beheer.Web.Program.Main(String[] args) in D:\BUILD02_Agent3\_work\730\s\src\ABP_Beheer.Web\Program.cs:line 36

  • Steps to reproduce the issue:"
  • dotnet tool install Volo.Abp.Cli -g --version 6.0.0-rc.1
  • abp new BookStore --preview
  • Run migrator & Open application & login with admin user
  • Now release to a windows server 2022 server (install IIS+dotnet 6 webhosting bundle)
  • Configure ABP there with Local IIS
    • ApplicationPoolIdentity
  • Add a ssl certificate in the Personal folder via "Manage computer certificates"
  • After that, configure the SSL certificate, so that the IIS APPOOL has access to it (manage computer certificates> Personal > Certificates > right click certificate > All tasks > Manage private keys > Add iis appool user here)
    • See https://github.com/dotnet/aspnetcore/issues/6840 for more info
  • Add HTTPS binding of the ssl certificate, to the iis site
  • Recycle app pool
  • Go to the application, by browsering to it

We haven't had this issue with ABP in combination with Identity server. What am i doing wrong, in context of OpenIddict?

Thanks in advance.


9 Answer(s)
  • 0
    maliming created
    Support Team

    hi

    Can you try to add a custom certificate instead of a development certificate?

    https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-development-certificate

    https://docs.abp.io/en/abp/6.0/Modules/OpenIddict#abpopeniddictaspnetcoreoptions

  • 0
    maliming created
    Support Team

  • 0
    maliming created
    Support Team

    hi

    https://github.com/abpframework/abp/issues/13633

  • 0
    scott7106 created

    I am getting the same error deploying the application to an Azure App Service. This is a release configuration so I am not expecting to install a developer certificate. What am I missing here? The App Service has an SSL certificate bound to a custom domain being used for the site.

  • 0
    maliming created
    Support Team

    hi @scott7106

    Try to set AddDevelopmentEncryptionAndSigningCertificate false.

    https://docs.abp.io/en/abp/6.0/Modules/OpenIddict#abpopeniddictaspnetcoreoptions

  • 1
    Frontis2 created

    For us it was a combination of

    - 1. Development certificate

        private void ConfigureOpenIddict()
        {
            Configure<AbpOpenIddictAspNetCoreOptions>(builder => {
                builder.AddDevelopmentEncryptionAndSigningCertificate = false;
            });
        }
    
        {
            ...
            ConfigureOpenIddict();
            ...
        }
    

    Why not adding this code (maybe with env.IsDevelopment()) to the starter template? This might help a lot of people?

    - 2. Setting Loading User Profile to true in IIS

    Tnhx for the support!

  • 1
    scott7106 created

    I found this in the OpenIddict documentation. https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html. This should be included in the deployment documentation for the new version and referenced in the release notes.

  • 3
    scott7106 created

    I was able to resolve the issue for Azure App Service with the following code:

    Added to PreConfigureServices in *HttpApiHostModule

    #if RELEASE
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => options.AddDevelopmentEncryptionAndSigningCertificate = false);
            string encryptionThumbprint = "******************";
            string signingThumbprint = "**************";
    
            var encryptionCertificate = GetX509Certificate2(encryptionThumbprint);
            var signingCertificate = GetX509Certificate2(signingThumbprint);
    
            PreConfigure<OpenIddictServerBuilder>(builder =>
            {
                builder.AddEncryptionCertificate(encryptionCertificate);
                builder.AddSigningCertificate(signingCertificate);
            });
    #endif
    

    helper method referenced above

        private X509Certificate2 GetX509Certificate2(string thumbprint)
        {
            bool validOnly = false;
            using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            var collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly);
            var certificate = collection.OfType<X509Certificate2>().FirstOrDefault();
            store.Close();
            return certificate ?? throw new Exception($"Cannot find certificate with thumbprint {thumbprint}");
        }
    

    The self-signed certificates were generated based on the documentation available on https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html.

    The certificates must be generated with a password instead of the empty password in the example in order for you to upload the PFX file to the Azure App Service.

    You must also set the configuration setting for WEBSITE_LOAD_CERTIFICATES on the Azure App Service to either be * to load all certificates or have a comma separated list of certificates you want loaded.

  • 0
    maliming created
    Support Team

    Many thanks @scott7106