I looked around IdentityServer4 official GitHub for configuring signing credential (certificate) for production, but i can't find any example. Specific thing for my environment is that it runs on Docker, so i need a cert to be generated in runtime for Linux machine, and then used for validating tokens.
In development mode i use AddDeveloperSigninCertificate helper in Startup.cs and it does the job, but i need a cert for production.
Did anyone have same issue?
Thanks!
Related
I'm in the process of implementing IdentityServer4 into my ASP.NET Core web application, which will be deployed to a Kubernetes cluster using Continuous Deployment.
The documentation talks about adding signing credentials (AddSigningCredential) and most tutorials/guides demonstrate how to use this by loading a .pfx file from the file system, or by using the local certificate store and searching by the subject name.
Is there a commonly accepted way of storing, retrieving and rotating the signing credentials when deployed to a Kubernetes cluster with minimal intervention?
I think using a secret is the best option in Kubernetes.
K8s have a secret kind that can be deployed with other ressource, here is a link to the official doc: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
Or you could also use another secret manager , like Vault.
If I am not mistaken , I think it's the best practice.
I have two client certificates that I have installed for my API project in the Azure portal. I have set the config option to enable them and can verify that they can both be found in the CurrentUser 'My' store. My problem is now that one of them is failing validation. On my local machine I have this cert installed in the Trusted People store of LocalMachine. Is there anything I can with Azure to make this work?
Is the location of the cert the issue or is it possibly something with the certificate itself?
**Note that this is an app service, not a cloud service
There are few things you can check, In Azure check in the app settings whether you have added your certificate. Its in the SSL section of you Azure app.
Another workaround would be where you are configuring your Token Authentication, you could set this settings.
For e.g. In my case, I was getting X509 Certificate error.
I added this code in my project.
System.IdentityModel.Configuration.IdentityConfiguration config = new System.IdentityModel.Configuration.IdentityConfiguration();
config.CertificateValidator = X509CertificateValidator.None;
config.CertificateValidationMode = X509CertificateValidationMode.None;
Basically turn off your validation. Most of the times, what happens is your local machine as all the certificates installed by an IT Operation person, but Those certificates are not on Azure.
You can check here for some reference as well. Microsoft Certificate Reference
We are trying to integrate Xero API in our web system, however, we are experiencing a particular problem which has not been responded at Xero forum pages, therefore, I had no choice to share it here.
It is a partner application integration and it requires to have some certain files & password within the software.
We have generated the .p12 and pfx files and addressed in the configuration file.
We have downloaded the wrapper solution from Github which is officially supported by Xero and all we did is to change the settings in the configuration file and run the Console App which is named "Xero.Api.Example.Counts" and OAuthTokens.css class throws an exception which is IIS 7.5 Detailed Error - 403.7 - Forbidden.
This response is generated from Xero API and we can retrieve more information in detail as "The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes"
The certificates are confirmed by Xero and we are using the correct Consumer Key & Secret in the configuration file.
We have also tried some other simple solution which does talk to Xero API using the partner application that has got the same result.
Is there any advise that you can share with us? Thank you
Install the certificates on your client machine and then use them.
For Partner Application of Xero, you need
Xero Entrust Certificate - Called Partner Certificate (issues by Xero)
and Signing Certificate - Generated by yourself and registered with Xero.
The Client Machine where you are trying to connect, you need to install these certificates in the Certificate Store.
If it is Windows, you can find instructions to install certificates over here:
Instructions
I have a reverse proxy that authenticates users using SSL Client Side certificates. I am trying to make Sonar V4 use the credentials that are passed in by the certificate from the reverse proxy. However, I haven't had much luck so far with Sonar.
However, I did get this working with Jenkins and Trac already.
Couldn't find one out there. So I just made my own over a few days.
https://github.com/trajano/reverse-proxy-auth-sonar-plugin
Personally wasn't too thrilled to have to resort to dealing with Ruby on Rails within a Java app and learning the current API on the fly, but it seemed to work since the authentication is managed by Ruby on Rails rather than Java.
I'm currently working on an automated deployment process for a hosted service for Windows Azure. The creation of the .cspkg and .cscfg files works perfectly using a call to msbuild. Now I'm writing a small .NET console app that should deploy these files to Azure using the Management REST API.
There is no problem concerning the API itself. I can send a request to the API using one of my management certificates. I upload the .cspkg file to Azure BLOB Storage and then try to call Upgrade Deployment. But every time I try, I get a "400 Bad Request" response stating that the certificate with thumbprint xy was not found. This certificate is the SSL certificate (not a management certificate) I'm using for HTTPS for my custom domain (DNS CNAME).
And now, the whole thing gets interesting:
When I deploy the files using the "Publish" command in my Visual Studio, there is no problem. (I compared the .cscfg/.cspkg files from VS and from my msbuild output: apart from a few GUIDs, they're identical). And furthermore, using the Silverlight Management thingy in my browser, I can even upload my generated files that could not be uploaded using the API.
When I retrieve a list of all certificates using the List Certificates call, the certificate which is said to be missing is apparently there. I can also retrieve its data using the Get Certificate call.
So why does Azure keep telling me that the certificate was not found when using the Upgrade Deployment call? Did anyone experience something similar? Has anyone the hint for me? Thanks in advance.
P.S.: This is what Azure says when I use the API:
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Code>BadRequest</Code>
<Message>The certitficate with thumbprint 7b232c4a2d6e3deadbeef120d5dbc1fe8049fbea was not found.</Message>
</Error>
P.P.S.: Yes, the word in the response is certitficate, not certificate.
OK, after using the List Subscription Operations API call to find out what Visual Studio calls to deploy apps, I found the solution.
Turns out that the URL I used for the API request was wrong, but: with all due respect, I blame Microsoft for lousily documenting its Azure Management API.
In their documentation, they write the URL to use is:
https://management.core.windows.net/<subscription-id>/services/hostedservices/<service-name>/deploymentslots/<deployment-slot>/?comp=upgrade
And the description is the following:
To generate the request URI, replace <subscription-id> with your subscription ID, <service-name> with the name of your service, <deployment-slot> with staging or production, and <deployment-name> with the unique name of your deployment.
What they forgot to mention is, that you have to use the DNS Name of your service, and not the Name! They could at least return an appropriate error message telling you that the service name is invalid, non-existent or doesn't belong to your subscription ID, instead of complaining about some certificate issue.
Thank you Microsoft, that cost me more than two days.
The error indicates that you have not uploaded that certificate into the hosted service's secret store. Visual Studio might be doing that automagically for you, but if you want to replicate it programmatically, then use the Add Certificate API call and upload the PFX into the deployment.
You can see '400 BadRequest - The certificate with thumbprint XYZ was not found.' appear in the CreateDeployment or UpgradeDeployment scenario for the following reason (which I just debugged):
You use the same certificate for subscription management as you do for e.g. SSL or Remote Desktop password encryption in your hosted service. You therefore will use the certificate with thumbprint XYZ to authenticate your service management REST call that creates the deployment.
When specifying your deployment parameters you pass in your CSCFG which references that same cert by its thumbprint, because it needs to configure Remote Desktop/SSL etc.
That cert is not yet added to your hosted service certs.
In this case the 400 Bad Request error really is telling you that you have a bad request, because the certificate in your CSCFG is not yet attached to your hosted service. The confusion arises (for me) because, since its a multi purpose cert, you misinterpret the error message as referring to the authentication of the request, even though you are not getting 401.