0

At the moment I have a web app that works in developer mode, but I am trying to make it work with a self-signed certificate in a Linux Web App in Azure. I have already uploaded the .pfx file to Azure and loaded it into the container by setting the WEBSITE_LOAD_CERTIFICATES application setting. At first, I tried using the store, however, this does not work in Linux.

Instead, I have already been able to find the file where it is uploaded (to a .p12 file), however, when I try to load the certificate manually I get the error error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure which seems to be a problem with the password, but I have verified the password is correct multiple times.

A post here has the method of generating the self-signed keys using openssl, and shows the same issue.

Note: Loading the certificate works on both Windows and Ubuntu, just not in the Linux Web App in Azure.

Jamie Mair
  • 306
  • 3
  • 12
  • What does your code look like that adds the signing keys? – Tore Nestenius Aug 07 '20 at 16:27
  • When I tried to load it from a file: ```var cryptBytes = System.IO.File.ReadAllBytes($"/var/ssl/private/{Configuration["WEBSITE_LOAD_CERTIFICATES"]}.p12"); var cert = new X509Certificate2(cryptBytes, Configuration["CERT_PASSWORD"]); services.AddIdentityServer() .AddSigningCredential(cert) .AddApiAuthorization();``` – Jamie Mair Aug 09 '20 at 10:03
  • When I tried to let IdentityServer find and load the cert: ```Configuration["IdentityServer:Key:Type"] = "File"; Configuration["IdentityServer:Key:FilePath"] = $"/var/ssl/private/{Configuration["WEBSITE_LOAD_CERTIFICATES"]}.p12"; Configuration["IdentityServer:Key:Password"] = Configuration["CERT_PASSWORD"]; services.AddIdentityServer() .AddApiAuthorization();``` Apologies for the bad formatting. – Jamie Mair Aug 09 '20 at 10:05

2 Answers2

0

In order to get around this, I used the certificate created through azure with the "Create App Service Managed Certificate" option. The password supplied when loading the certificate is just an empty string ("").

Jamie Mair
  • 306
  • 3
  • 12
0

For me the solution of an IdentityServer4 hosted on linux in azure was in this Github Issue: https://github.com/IdentityServer/IdentityServer4/issues/4000

The method AddApiAuthorization() overwrites the AddSigningCredential()!

Furthermore you have to specify the IssuerUrl:

  services.AddIdentityServer(options =>
            {
                options.IssuerUri = "https://your.azurewebsites.net/";
            })
Flow
  • 1
  • 2