ABP Framework version: v7.3.0
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.3.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.IO.FileNotFoundException: Signing Certificate couldn't found: C:\home\site\wwwroot\authserver.pfx at BCFOAssistant.Web.BCFOAssistantWebModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 365
Steps to reproduce the issue:
Create App Service web site on Azure
Deploy web app to Azure
Attempt to run site
Receive error
I generated the authserver.pfx file and uploaded it to azure. When I did it asked me to install and I did. However the web app still fails with the same error.
I've looked at other things that talk about creating the .pfx file and have done that. None of the documentation seems to match when it comes to configuring my app to use/recognize the certificate. It would be helpful to get some clear documentation on complete steps to get the certificate(s) installed on Azure and the app configured to use them.
15 Answer(s)
-
0
You might want to checkout this: https://codejack.com/2022/12/deploying-abp-io-to-an-azure-appservice/
There are detailed explanations for configuring your application for azure app services.
Please let me know if this helps you.
-
0
I followed the instructions in the link that you provided but now I am getting the following error:
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=7.3.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. ---> System.Security.Cryptography.CryptographicException: The specified network password is not correct. at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan
1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at BCFOAssistant.Web.BCFOAssistantWebModule.GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 372 at BCFOAssistant.Web.BCFOAssistantWebModule.<>c__DisplayClass1_0.<PreConfigureServices>b__3(OpenIddictServerBuilder builder) in C:\Projects\BCFOAssistant\aspnet-core\src\BCFOAssistant.Web\BCFOAssistantWebModule.cs:line 123 at Volo.Abp.Options.PreConfigureActionList`1.Configure(TOptions options) -
0
The documentation that was referenced was for version 6.x of abp and required the addition of code to the <projname>WebModule.cs file. In version 7.3.0, the <projname>WebModule.cs file already has the template code in place looking for the authserv.pfx file, but it throws an exception if the .pfx file doesn't exist. One of the "answers" to the problem was to generate the file if it doesn't exist. I did that and that got me to where I am now (invalid network password). Looking for answers on how resolve this indicates I should be using a TripleDES-SHA1 encryption but the constructor for the CertificateRequest requires a RSA-SHA256 encryption. Other suggestions were to not supply a passphrase in the generation of the X509Certificate2. None of these suggestions have resolved my problem.
Abp needs to provide some clear solutions to deploying this new authentication mechanism to Azure that actually works. PLEASE HELP!
-
0
I was able to deploy a fresh abp mvc (non-tiered) application to an azure web app using the following steps (https://abpazuretest.azurewebsites.net/#):
- Create the authserver.pfx using the following command (if you want to use another password, you need to change the code in the YourPrjNameWebModule:
dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED - Place the generated pfx file inside YourProject.Web-Project
- Ensure the generated pfx is copied as content by adding the following to the csproj-File of the YourProject.Web-Project:
These steps are extracted from the official abp documentation for configuring OpenIdDict: https://docs.abp.io/en/abp/latest/Deployment/Configuring-OpenIddict
- Create the authserver.pfx using the following command (if you want to use another password, you need to change the code in the YourPrjNameWebModule:
-
0
I am really at a loss here. I created the .pfx file as specified and made sure the passCode used is the one that is in the app. The file is flagged as being a content file that is to be copied always and the file does show up on Azure in the site/wwwroot folder. The application still will not start correctly, again stating that "the system cannot find the file specified". The line that is throwing the exception is: return new X509Certificate2(file, passPhrase); which only gets executed if the test "if(File.Exists(file))" passes. So the file exists and it is the one that was generated using the dotnet generated code.
-
0
Hey, make sure the file is located in the content root. Not in the applications wwwroot. As you see in the screenshot of my example apps kudo browser.
Some other questions that might help me to find a solution for you:
- What OS do you use for your azure web app?
- How do you deploy the web app to azure?
- How is the stack configuration for your web app?
- Mine looks the following:
- Mine looks the following:
-
0
My authserver.pfx file is in the same location as yours. Microsoft setup my web app on Microsoft Windows NT 10.0.14393.0. As you can see in the screenshot, it is a 32 bit environment. I am running on a Shared (D1) development instance.
I deploy by downloading the publish profile from Azure and use the Web Deploy option.
-
0
Could you show me the path settings?
Also you might could try to switch to a linux app service, if that would be an option for you.
-
0
I tried to deploy it to a Linux instance and it failed.
-
0
Ok i found out that the issue is only related to windows app services. Can reproduce it on a fresh f1 windows app service. You could try to add an application setting entry "WEBSITE_LOAD_USER_PROFILE" with the value 1 to your app service.
Here is the stackoverflow question i found in regards to azure web apps and x509 certs: https://stackoverflow.com/questions/66367406/cngkey-system-security-cryptography-cryptographicexception-the-system-cannot-fin
If the WEBSITE_LOAD_USER_PROFILE still not works you could try setting WEBSITE_LOAD_CERTIFICATES to some random value. There where some comments that this would only work for non shared web apps.
For the f1 plan i used to test it, this stackoverflow was really helpful: https://stackoverflow.com/questions/9951729/x509certificate-constructor-exception/10048789#10048789
Long story short, adding the MachineKeySet-StoreFlag to the constructor of the cert should fix the issue for you:
private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration) { var fileName = "authserver.pfx"; var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED"; var file = Path.Combine(hostingEnv.ContentRootPath, fileName); if (!File.Exists(file)) { throw new FileNotFoundException($"Signing Certificate couldn't found: {file}"); } return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet); } -
0
I upgraded the Azure web service to a non-shared resource, added the variable WEBSITE_LOAD_CERTIFICATES= 1 to the Azure instance and tried it without adding the MachineKeySet parameter to the X509Certificate constructor. That did not make any difference in the problem. I then added the MachinKeySet parameter and re-deployed. Now I'm back to the error "The specified network password is incorrect."
I even regenerated the authserver.pfx file and ensured that one is the one that is on the Azure site. Still no luck getting a site to function.
-
0
Try it with also setting the variable WEBSITE_LOAD_USER_PROFILE=1.
If this still not works we can make a meeting so i can have a deep look into your project and the azure web service.
-
0
That didn't work so if we can setup a meeting and get your help I'd appreciate it.
-
0
Ok send me an invitation of to a zoom/teams/google meet call when you have time. Here is my e-mail: nico@chrobyte.de
Please send the invitation +- 30 mins before start, so there is some puffer for me. Thanks :)
-
0
The customer made the following changes that resulted into the app starting now in azure:
- the first was the change to include the call to the AddEncryptionCertificate
- the second was I had failed to change the URLs for the SelfURL and Authority settings in the appsettings.production.json file.
