Reputation: 11364
The system cannot find the file specified - azure key vault certificate
I have added a pfx certificate in azure key vault.
I have one asp.net web api application where through one of the endpoint I am trying to access certificate information from key vault.
public class ValuesController : ControllerBase { public async Task<string> Get() { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync("<certificateSecretIdentifier>").ConfigureAwait(false); X509Certificate2 certificateWithPrivateKey = new X509Certificate2(Convert.FromBase64String(secret.Value)); return certificateWithPrivateKey.FriendlyName; } }I am using Azure Managed Identity and everything configured correctly.
When I am running the web app in local IIS express, there is NO error and endpoint giving me desired result.
Now when I am publishing the web app over azure and app service app and trying to call the endpoint, getting this error,
I have added my app service app with azure key vault's access policies (get, list), please suggest what could be the reason?
2020-07-08 03:20:48.986 +00:00 [Error] Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer: Connection ID "16717361818409901973", Request ID "80001f98-0000-e800-b63f-84710c7967bb": An unhandled exception was thrown by the application. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified. at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] data) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at Gateway.Controllers.ValuesController.Get() in C:\Work\AzureAdAuth\Gateway\Controllers\ValuesController.cs:line 26 at lambda_method(Closure , Object ) at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult() at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask
1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT1.ProcessRequestAsync()
Upvotes: 26
Views: 8748
Answers (1)
Reputation: 20127
Reading PFX requires the user profile to be loaded. When we added WEBSITE_LOAD_CERTIFICATES, it basically results in loading the profile on the background and hence we could read the PFX from the filesystem.
ASP.NET and ASP.NET Core on Windows must access the certificate store even if you load a certificate from a file. To load a certificate file in a Windows .NET app, add WEBSITE_LOAD_USER_PROFILE=1 option into the application's settings.
For more details, you could refer to this article.
Upvotes: 53
Related Questions
- "Key vault reference error" in azure web app configuration setting
- ASP.Net WebApi Key Vault configBuilders fail to process
- Error : No such host is Known in Asp.net Core Application while configuring Azure key vault
- Unable to import key vault certificate to app service - Failed to get App Service Service principal details
- Azure Key Vault Certificate: the key was not found
- Can't use azure key vault ('New-AzureKeyVault' is not recognized) ('keyvault' is not an azure command)
- Azure Key Vault: Secret not found error
- Cannot find Certificate - Azure .NET Core App
- Azure Key Vault - AADSTS70001: Application with identifier "xxx" was not found in the directory "xxx"
- Microsoft.Azure.KeyVault.KeyVaultClientException :Service Error information was not available