stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution. Note that acs-engine is deprecated--see https://github.com/Azure/aks-engine instead.
Is this a request for help?:
No
Is this an ISSUE or FEATURE REQUEST? (choose one):
ISSUE
What version of acs-engine?:
v0.25.3
Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm)
Kubernetes
What happened:
Cannot load an SSL certificate from disk using X509Certificate2. For example
Where store is either X509KeyStorageFlags.UserKeySet or X509KeyStorageFlags.MachineKeySet
What you expected to happen:
A certificate created. What happens is an exception is thrown "An internal error occurred".
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
The problem is that this method wants to use the user or machine certificate store to store the private key. See this SO question: https://stackoverflow.com/questions/1345262/an-internal-error-occurred-when-loading-pfx-file-with-x509certificate2. Apparently neither the user store nor the machine store is available in the pod where this container runs. This same container will run fine on a Windows 1803 VM.
Here is another key bit of information: my container is built based on microsoft/dotnet:2.1-aspnetcore-runtime-nanoserver-1803. As it turns out if I build the container based on the full .NET framework, microsoft/dotnet-framework:4.7.2-runtime, everything is fine.
But obvious I want to use nanoserver rather than full .NET. Again, my container built on nanoserver works fine on Azure Windows 1803 VM. Why not in k8s windows host? Perhaps this is a question best asked in k8s forum, but that is a pure Linux crowd and will get nothing. I'm hoping for better here.