Reputation: 265
Why can't Azure App Service find my GoDaddy certificate?
I have an Azure App Service running a .NET Core 3.1 application, using IdentityServer4 for authentication.
My appsettings.json file looks like this:
...
"IdentityServer": {
"Clients": {
"MyApp": {
"Profile": "IdentityServerSPA"
}
},
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=mydomain.com"
}
},
...
I created a certificate via GoDaddy with the following (fake) values:
- Thumbprint:
my-thumbprint - Subject Name:
app.mydomain.com,www.app.mydomain.com
This certificate was uploaded to my App Service as a private key certificate, and also stored in Azure Key Vault (during the custom domain binding configuration).
In my App Service Configuration settings, I have the following set:
WEBSITE_LOAD_CERTIFICATES:my-thumbprintIdentityServer__Key__Name:CN=app.mydomain.com,www.app.mydomain.com
My app fails to start. Starting the Azure App Service console and running the command
dotnet myapp.dll
results in the following stacktrace:
Unhandled exception. System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=app.addtheand.com,www.app.addtheand.com' on the 'CurrentUser\My'
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.SigningKeysLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, DateTimeOffset currentTime)
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.LoadKey()
at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.Configure(ApiAuthorizationOptions options)
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at Microsoft.Extensions.Options.OptionsManager`1.<>c__DisplayClass5_0.<Get>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
at Microsoft.Extensions.Options.OptionsManager`1.Get(String name)
at Microsoft.Extensions.Options.OptionsManager`1.get_Value()
at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderConfigurationExtensions.<>c.<AddClients>b__7_1(IServiceProvider sp)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitFactory(FactoryCallSite factoryCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSiteMain(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitCache(ServiceCallSite callSite, RuntimeResolverContext context, ServiceProviderEngineScope serviceProviderEngine, RuntimeResolverLock lockType)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitRootCache(ServiceCallSite singletonCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSiteMain(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitDisposeCache(ServiceCallSite transientCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSiteMain(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitDisposeCache(ServiceCallSite transientCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(ServiceCallSite callSite, TArgument argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.Resolve(ServiceCallSite callSite, ServiceProviderEngineScope scope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.DynamicServiceProviderEngine.<>c__DisplayClass1_0.<RealizeService>b__0(ServiceProviderEngineScope scope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType)
at Microsoft.AspNetCore.Builder.IdentityServerApplicationBuilderExtensions.TestService(IServiceProvider serviceProvider, Type service, ILogger logger, String message, Boolean doThrow)
at Microsoft.AspNetCore.Builder.IdentityServerApplicationBuilderExtensions.Validate(IApplicationBuilder app)
at Microsoft.AspNetCore.Builder.IdentityServerApplicationBuilderExtensions.UseIdentityServer(IApplicationBuilder app, IdentityServerMiddlewareOptions options)
What am I missing?
My app runs as expected in DEV mode, which uses the IdentityServer configuration in appsettings.json without modification, loading/using a different self-signed certificate.
UPDATE
I checked if the certificate was loaded to the App Service machine, and it wasn't found.
Steps to find this:
- From the App Service in the Azure portal, start kudo
- In kudo, select Debug Console -> Powershell
- Run the following command:
dir cert:\localmachine\my
UPDATE 2
Since I'm trying to load the cert via CurrentUser, I instead ran the following command in the powershell terminal: dir cert:\CurrentUser\My, finding that the Subject didn't match what I saw in the Azure portal.
- SUBJECT IN PORTAL:
app.mydomain.com,www.app.mydomain.com - SUBJECT IN OUTPUT:
CN=app.mydomain.com, OU=Domain Co...
Upvotes: 1
Views: 433
Answers (1)
Reputation: 265
Following up on Update 2...
The mismatch in Subject that I was seeing in the Azure Portal when viewing the certificate via the UI versus what I was seeing when running the dir cert:\CurrentUser\my command via kudo's Powershell console was the source of my problem.
To fix, I changed my configuration value for IdentityServer__Key__Name from the subject according to the Portal UI:
CN=app.mydomain.com,www.app.mydomain.com
to the subject according to the command above:
CN=app.mydomain.com, OU=Domain Control Validated
Upvotes: 1
Related Questions
- Azure SSL Certificate
- Create App Service Managed Certificates says success, but certificate does not appear
- Azure App Service Certificate - Failure to Auto-Renew
- Failed to create App Service Managed Certificate
- Azure app service: Cannot find the certificate in X509Store(StoreName.My, StoreLocation.CurrentUser)
- Azure App Service "Could not find service certificate" when it is there
- Azure App Services - Can't find certificate by thumbprint
- Certificate not found on Azure Web App (Loaded on some instance but not others)
- Certificate not found on Azure Web App