question

AnthonyHawkley-3156 avatar image
1 Vote"
AnthonyHawkley-3156 asked AndyWilkin-7744 answered

Application startup exception System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=<mydomain>' on the 'CurrentUser\My

I'm getting this error on startup with an app hosted on a Linux AppService (P1v2) - (it does however work as documented on other pages/stackoverflow posts on a Linux AppService (B2)).

 *Application startup exception
 System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=<mydomain>' on the 'CurrentUser\My'
    at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.SigningKeysLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, DateTimeOffset currentTime)
    at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.LoadKey()
    at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.Configure(ApiAuthorizationOptions options)*

Startup code:

 *services.AddIdentityServer(options =>
 {
     options.IssuerUri = applicationUrls.WebAPIUrl;
 })
 .AddApiAuthorization<User, DataContext>();*

My settings look like this:

 *"IdentityServer": {    
     "Key": {
     "Type": "Store",
     "StoreName": "My",
     "StoreLocation": "CurrentUser",
     "Name": "CN=<myDomain>"
 },
 "WEBSITE_LOAD_CERTIFICATES": "<certificateThumbprint>"*

Please help - thanks!

azure-webapps-developmentazure-webapps-performanceazure-webapps-scaling
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered

Thanks for asking question! Could you please confirm that you have make the certificate accessible.
Check on this documentation https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#make-the-certificate-accessible
Also, if you were able to successfully bind the certificate to the custom domain.

The possible reason for this could be that the code block that you are applying on your appsettings.json it’s trying to get a certificate directly from the root of your web application since you are searching for the path “currentUser”.

For the code block to work you need to get the certificate imported to following root path of your web application:
• PS D:\home> dir cert:\currentuser\my
• PS D:\home> dir cert:\localmachine\my

You can import this certificate using the Kudu site. To access Kudu Navigate to App Service > Advanced Tools > Click on Go.


Also, Just to clarify if you already have the custom domain bound to a SSL certificate on the portal and the appsettings.json is interfering with the portal configuration. The recommendation here is to remove the code block from the appsettings.json and let the portal manage the site certificate.

You may refer to below document link might be helpful:

Please let us know if issue persists.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnthonyHawkley-3156 avatar image
0 Votes"
AnthonyHawkley-3156 answered SnehaAgrawal-MSFT commented

Still not working, I referenced the information provided in the links both before and after asking the question and still no luck. The one thing I haven't done is copied the certificate to the site root - it is an 'App Service Managed Certificate' so I don't have a copy to upload.

This exact same code and configuration on a Linux AppService (B2)) works as documented, but on Linux AppService (P1v2) it does not. The only difference between the two is the AppService itself and the certificate name/thumbprint in each respectively.

One other observation I've made that may or may not be related is none of the settings found on the settings page in the azure portal get applied to this site - I have to put them in the appsettings file that gets uploaded on publish... not sure why that is....? When I change values in the screenshot below they don't appear to be applied to the service even after a restart....?

36133-settings-screenshot.png



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologize that you are facing this issue. Request you to send an email to AzCommunity[at]Microsoft[dot]com referencing this thread, we would like to work closer with you on this matter.

0 Votes 0 ·
berik-9043 avatar image
1 Vote"
berik-9043 answered patrickbadley published

If you delete code block from appsettings.json it would throw an exception. That's because extension method .AddApiAuthorization<User, DataContext>(); calls internally AddSigningCredentials(), which reads bare private keys. According to this issue https://github.com/dotnet/runtime/issues/27658#issuecomment-454572342 App Service on Linux read PFX key

Solution
1. Delete method .AddApiAuthorization<User, DataContext>(); and call

var builder = services.AddIdentityServer()
                .AddAspNetIdentity<ApplicationUser>()
                .AddOperationalStore<ApplicationDbContext>()
                .AddIdentityResources()
                .AddApiResources()
                .AddClients();
if (Env.IsDevelopment()){
   builder.AddDeveloperSigningCredential();
}else{
   var bytes = File.ReadAllBytes($"/var/ssl/private/{Configuration["WEBSITE_LOAD_CERTIFICATES"]}.p12");
   var certificate = new X509Certificate2(bytes);
   builder.AddSigningCredentials(certificate);
}
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have been banging my head against the wall for hours until I found this info. Thank you!!!

0 Votes 0 ·
AndyWilkin-7744 avatar image
0 Votes"
AndyWilkin-7744 answered

This works for Identity Server, but not for securing an API where one would do something like:

     services.AddAuthentication(options =>
         {
             options.DefaultAuthenticateScheme = "Bearer";
         })
         .AddIdentityServerAuthentication("Bearer", options =>
         {
             options.Authority = "XXXX";
             options.RequireHttpsMetadata = false;
             options.ApiName = "XXXX";
             options.ApiSecret = "XXXX";
                
         });

The problem here is there is no way to load the certificate yourself. Have got it working with a Windows based Web API, but can't get it working with a Linux one.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.