Unable to set an X509 pfx cert to my document store when the web app runs on Azure App Service
1,809 views
Skip to first unread message
Justin A
May 28, 2018, 7:49:58 AM5/28/18
to RavenDB - 2nd generation document database
Hi folks,
so i've got a simple Azure App Service ASPNet-Core 2.0 website.
I'm trying to get my document store to connect to a remote RavenDb (also on an azure VM) by setting the documentstore.Certificate property. When I do this in the Azure App Service, it fails. When I do this _locally_ (as in, run the web app locally and it connects to the remove RavenDB) it works.
This is the main error I get:
WindowsCryptographicException: The system cannot find the file specified
Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
WindowsCryptographicException: The system cannot find the file specified
Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, string password, X509KeyStorageFlags keyStorageFlags)
So it's weird -> there's something about a FilterPFXStore ????
First, the two ways I've tired to load and set the cert:
- 1) Provide the file path:
var clientCertificate = new X509Certificate2(pfxPath, pfxPassword);
*) File exists on azure (i've confirmed this by also doing File.Exists(..) and manually creating the path using the environment.Webroot, etc -and- also manually looking at the contents of the file system using the KUDU explorer (it has a built in file explorer) and also the azure console (one of the options for interactive console CLI stuff)
*) Tried to provide a _BAD_ password and I (correctly) get a message about bad password.
*) Tried to provide a _BAD_ filename and it failed to locate the file.
- 2) Provide some byte[] of the certificate.
var clientCertificate = new X509Certificate2(myDataAsBytes, pfxPassword);
*) loaded bytes, passed em in. This must mean that the data exists.
So - has anyone loaded up a certificate to connect to a DocumentStore on Azure App Services?
- it's me -
Oren Eini (Ayende Rahien)
May 28, 2018, 8:04:11 AM5/28/18
to ravendb
Hibernating Rhinos Ltd
Oren Eini l CEO l Mobile: + 972-52-548-6969
Office: +972-4-622-7811 l Fax: +972-153-4-622-7811
--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Justin A
May 28, 2018, 9:18:17 AM5/28/18
to RavenDB - 2nd generation document database
I started looking at those/similar Q/A's (i had read the SO link before, but never the ms playground link)..
but they all are similar -> you 'install' a pfx and then magical-retrieve it.
I've been trying to just push the pfx straight to the filesystem and then load it manually. Sure it prolly better to have the pfx is Azure Vault etc ... but why would the framework be complaining if the file is there and the password is right? It's like there's some weird permission missing (cause app service is locked down, etc).
?
iftah
May 28, 2018, 10:48:34 AM5/28/18
to RavenDB - 2nd generation document database
Hi Justin,
Can you please try this and let me know if it worked?
Thanks
Justin A
May 28, 2018, 11:29:30 AM5/28/18
to RavenDB - 2nd generation document database
OH MY GOSH! That was it!! I still don't grok why it's trying to check a store, but yes, it worked!
For those googling ....
// Byte array.
var clientCertificate = new X509Certificate2(certificateData,
pfxPassword,
X509KeyStorageFlags.MachineKeySet);
// File name
var clientCertificate = new X509Certificate2(pfxFileNameAndPath,
pfxPassword,
X509KeyStorageFlags.MachineKeySet);This should def be documented some time. When I get some breathing room, I might try and send in a PR to the doc's to get some of this added.
Reply all
Reply to author
Forward
0 new messages