0

I deploy the ASP.NET Angular SPA template RC2 app with the Identity Server option on my local IIS server. I get below exception. IIS can't access my local certification info.

Application: w3wp.exe
CoreCLR Version: 6.0.21.52210
.NET Version: 6.0.0
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: Couldn't find a valid certificate with subject 'CN=my-subdomain.azurewebsites.net' on the 'CurrentUser\My'
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.SigningKeysLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, DateTimeOffset currentTime)
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.LoadKey()
   at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureSigningCredentials.Configure(ApiAuthorizationOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.UnnamedOptionsManager`1.get_Value()
   at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderConfigurationExtensions.<>c.<AddClients>b__8_1(IServiceProvider sp)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSiteMain(ServiceCallSite callSite, TArgument argument)

I created a certificate via

New-SelfSignedCertificate -DnsName "my-subdomain.azurewebsites.net" -CertStoreLocation "cert:\CurrentUser\My"

I set my appsettings.json as

  "IdentityServer": {
    "Key": {
      "Type": "Store",
      "StoreName": "My",
      "StoreLocation": "CurrentUser",
      "Name": "CN=my-subdomain.azurewebsites.net"
    },
    "Clients": {
      "MarketPlace": {
        "Profile": "IdentityServerSPA"
      }
    }

When I publish this site with the same configuration as folder publish, it works properly. How can I fix the IIS error so it can access the certificate?

Huseyin
  • 23
  • 3
  • Please use local machine's My store for such certificates. That's the usual place. – Lex Li Nov 12 '21 at 18:12
  • please verify the Certificate on the server where it is being installed, Navigate to IIS -> Server Certificate -> Select The Certificate Details (Issuer Name). – samwu Nov 14 '21 at 07:38
  • I imported my certificate to the IIS server certificates section. I used the certificate Subject name. And I also created Self Signed Certificate and I tried to use this again. Both didn't work. I tried to give also IIS APPPOOL\DefaultAppPool and my local users' permission from the local certificates management (Microsoft Management Console) Manage Private Keys tab. But the result didn't change. – Huseyin Nov 15 '21 at 15:11
  • It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com. – samwu Nov 17 '21 at 09:52

1 Answers1

0

I had a similar issue with .NetCore web API (.NetCore 5.0) implemented using CLEAN architecture (CQRS pattern), I needed 2 certificates to run my application.

  1. CA issued certificate for external communication outside the scope of the Application Level
  2. Self-Signed for communication within the Application Level, for example, communication with other services/class library services or maybe to DB. (For internal communication app will look for a certificate created at the Domain level or Server level)

So in the app setting production JSON, we need to point to a self-signed certificate, while publishing in the application in IIS we need to select CA issued certificate from the SSL Certificate dropdown in "Edit Binding" screen.

point 1: CA issued certificate shall be imported to IIS. point 2: while self-signed shall be present in MMC, personal or root or web hosting, In local machine or current user, the same shall be referred in app setting production JSON.

Clean Architecture: https://github.com/jasontaylordev/CleanArchitecture

Ranjith Gowda
  • 33
  • 6