search

Azure-App-Service / dotnetcore

appsvc image for dotnetcore
14 stars 16 forks source link

Cannot access certificate store #6

Open skolmer opened 7 years ago

skolmer commented 7 years ago

I already posted this on the azure feedback forums: https://feedback.azure.com/forums/169385-web-apps/suggestions/18668707--linux-allow-to-access-certicate-store-within-lin

Feel free to close this issue if it is better handled via the feedback forum.

Using certificates uploaded via the azure portal in a Linux based .NET core app is currently not possible. Normally you would do something like this to access those certificates (https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/):

using(var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)) {
      certStore.Open(OpenFlags.ReadOnly);
      X509Certificate2Collection certCollection = certStore.Certificates.Find(
                                 X509FindType.FindByThumbprint,
                                 // Replace below with your cert's thumbprint
                                 “E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
                                 false);
      // Get the first cert with the thumbprint
      if (certCollection.Count > 0)
      {
        X509Certificate2 cert = certCollection[0];
        // Use certificate
        Console.WriteLine(cert.FriendlyName);
      }
}

In .NET core 1.1 apps this is not working as expected the X509Store certificates collection is always empty. Maybe I'm just missing a configuration setting but already tried everything described in the blogpost above.

naziml commented 7 years ago

@skolmer The AppService feature that let's you upload certs on the portal and have them be available to your app in the cert store is not there for WebApps on Linux yet. Because we launch the dotnetcore docker image which obviously won't have any certs in it, we have to pass the certs when we do docker run, through something like an environment variable or something. But once we do that, I would still need to figure out what location and format these certs need to go to for dotnetcore to pick them up in X509CertStore. Let me ping someone on that and get back to you.

skolmer commented 7 years ago

@naziml Thank you for your feedback. Is this the right place to post infos about limitations I run into while working with Azure App Service on Linux or should I use the feedback forums? I'm currently building an API that should run on this platform in the future and it would be nice to have a place where I can track the status of features that are not there yet or not working as expected. I know Linux App Services are still in preview and not everything is implemented yet so I will try to post only those things I couldn't find any official information about online.

ahmedelnably commented 7 years ago

@skolmer you can definitely use the feedback forums, also you can comment on our FAQ Article, and we will reply and also add these limitations/questions in the article to share it with everyone.

adriangarzas commented 6 years ago

@naziml do you know if this feature is available now?

shoshins commented 5 years ago

@naziml and what about now? :)

metoule commented 4 years ago

It's now possible (see https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#load-certificate-in-linux-apps):

Load certificate in Linux apps The WEBSITE_LOAD_CERTIFICATES app settings makes the specified certificates accessible to your Linux hosted apps (including custom container apps) as files. The files are found under the following directories:

Private certificates - /var/ssl/private ( .p12 files) Public certificates - /var/ssl/certs ( .der files)

and the C# code:

var bytes = File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
var cert = new X509Certificate2(bytes);
dodgyKnee73 commented 4 years ago

It's now possible (see https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#load-certificate-in-linux-apps):

Load certificate in Linux apps The WEBSITE_LOAD_CERTIFICATES app settings makes the specified certificates accessible to your Linux hosted apps (including custom container apps) as files. The files are found under the following directories: Private certificates - /var/ssl/private ( .p12 files) Public certificates - /var/ssl/certs ( .der files)

and the C# code:

var bytes = File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
var cert = new X509Certificate2(bytes);

I have uploaded a public certificate to a linux hosted function app, set the WEBSITE_LOAD_CERTIFICATES app setting to the thumbprint of the certificate but no certificates have been added to /var/ssl/certs. The actual directory does not exist. Followed the documentation here: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#upload-a-public-certificate and here: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#make-the-certificate-accessible

Is there a way to validate that these steps have worked over and above what is documented here, should I be able to browse to /var/ssl/certs and see my certificate ?