ABP framework 6.0.0 fails when deployed at Azure

Question

Trying to deploy ABP framework 6.0.0 AuthServer at Azure, after sucessful built and run locally.

Got "HTTP Error 500.30 - ASP.NET Core app failed to start"

When trying to get some logs, using Azure Debug Console at myproject.scm.azurewebsites.net/DebugConsole I got following:

C:\home\site\wwwroot>dotnet MyProject.AuthServer.dll
[19:52:57 INF] Starting MyProject.AuthServer.
[19:53:00 FTL] MyProject.AuthServer terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   --- End of inner exception stack trace ---
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
   at MyProject.Program.Main(String[] args) in D:\a\1\s\aspnet-core\src\MyProject.AuthServer\Program.cs:line 35

This say nothing to me, and when Googling around, I hit this at abp.io website: https://support.abp.io/QA/Questions/3537/OpenIddict-WindowsCryptographicException-Access-is-denied

But I can´t figure out where I shall do the changes. It feels like this should be noted in the ABP.io docs?

Do you know what can cause this, or have some ideas what can be wrong?

Answer 1

I was having the same issue with having the same setup as you have with the exception of deploying to azure, but it should be the same solution.

Please check this SO question: WindowsCryptographicException: Access is denied when publishing app in Azure

The problem with OpenIddict (or rather, the goodness we're not used to) is that it is bare bones and you have to implement everything yourself.

OpenIddict must have a certificate in order to function on the server you're deploying to, and to have better security on top of whatever measures you're taking.

Basically what you will do is create a new self-signed certificate, upload it to cert store, add the thumbprint to the code and add it to one WEBSITE_LOAD_CERTIFICATES environment variable on said server.

You can add this environment variable to the code instead of hard-coding the thumbprint.

Here is a not-so-informative part of the abp.io documentation about the issue at hand: Abp.io doc

And here is what I did in the code:

I hope this helps.