Application startup exception System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=<mydomain>' on the 'CurrentUser\My

Question

I'm getting this error on startup with an app hosted on a Linux AppService (P1v2) - (it does however work as documented on other pages/stackoverflow posts on a Linux AppService (B2)).

*Application startup exception
System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=<mydomain>' on the 'CurrentUser\My'
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.SigningKeysLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, DateTimeOffset currentTime)
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.LoadKey()
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.Configure(ApiAuthorizationOptions options)*

Startup code:

*services.AddIdentityServer(options =>
{
    options.IssuerUri = applicationUrls.WebAPIUrl;
})
.AddApiAuthorization<User, DataContext>();*

My settings look like this:

*"IdentityServer": {    
    "Key": {
    "Type": "Store",
    "StoreName": "My",
    "StoreLocation": "CurrentUser",
    "Name": "CN=<myDomain>"
},
"WEBSITE_LOAD_CERTIFICATES": "<certificateThumbprint>"*

Please help - thanks!

Answer 1

If you delete code block from appsettings.json it would throw an exception. That's because extension method .AddApiAuthorization<User, DataContext>(); calls internally AddSigningCredentials(), which reads bare private keys. According to this issue https://github.com/dotnet/runtime/issues/27658#issuecomment-454572342 App Service on Linux read PFX key

Solution

1. Delete method .AddApiAuthorization<User, DataContext>(); and call

   var builder = services.AddIdentityServer()
                   .AddAspNetIdentity<ApplicationUser>()
                   .AddOperationalStore<ApplicationDbContext>()
                   .AddIdentityResources()
                   .AddApiResources()
                   .AddClients();
   if (Env.IsDevelopment()){
      builder.AddDeveloperSigningCredential();
   }else{
      var bytes = File.ReadAllBytes($"/var/ssl/private/{Configuration["WEBSITE_LOAD_CERTIFICATES"]}.p12");
      var certificate = new X509Certificate2(bytes);
      builder.AddSigningCredentials(certificate);
   }
   

Answer 2

Thanks for asking question! Could you please confirm that you have make the certificate accessible.
Check on this documentation https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#make-the-certificate-accessible
Also, if you were able to successfully bind the certificate to the custom domain.

The possible reason for this could be that the code block that you are applying on your appsettings.json it’s trying to get a certificate directly from the root of your web application since you are searching for the path “currentUser”.

For the code block to work you need to get the certificate imported to following root path of your web application:
• PS D:\home> dir cert:\currentuser\my
• PS D:\home> dir cert:\localmachine\my

You can import this certificate using the Kudu site. To access Kudu Navigate to App Service > Advanced Tools > Click on Go.

Also, Just to clarify if you already have the custom domain bound to a SSL certificate on the portal and the appsettings.json is interfering with the portal configuration. The recommendation here is to remove the code block from the appsettings.json and let the portal manage the site certificate.

You may refer to below document link might be helpful:

• https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#load-the-certificate-in-code
• https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.0#deploy-to-production
• https://learn.microsoft.com/en-us/aspnet/core/test/troubleshoot-azure-iis?view=aspnetcore-3.1#50030-in-process-startup-failure

Please let us know if issue persists.

Answer 3

Still not working, I referenced the information provided in the links both before and after asking the question and still no luck. The one thing I haven't done is copied the certificate to the site root - it is an 'App Service Managed Certificate' so I don't have a copy to upload.

This exact same code and configuration on a Linux AppService (B2)) works as documented, but on Linux AppService (P1v2) it does not. The only difference between the two is the AppService itself and the certificate name/thumbprint in each respectively.

One other observation I've made that may or may not be related is none of the settings found on the settings page in the azure portal get applied to this site - I have to put them in the appsettings file that gets uploaded on publish... not sure why that is....? When I change values in the screenshot below they don't appear to be applied to the service even after a restart....?

Answer 4

This works for Identity Server, but not for securing an API where one would do something like:

    services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = "Bearer";
        })
        .AddIdentityServerAuthentication("Bearer", options =>
        {
            options.Authority = "XXXX";
            options.RequireHttpsMetadata = false;
            options.ApiName = "XXXX";
            options.ApiSecret = "XXXX";

        });

The problem here is there is no way to load the certificate yourself. Have got it working with a Windows based Web API, but can't get it working with a Linux one.