RickardPettersson / swish-api-csharp

Swish For Merchant API Client .Net Standard Library
MIT License
29 stars 14 forks source link

Problem with opening cert store in IIS - works in IIS Express #24

Closed shogedal closed 1 year ago

shogedal commented 2 years ago

I run my IIS app pool with the ApplicationPoolIdentity and it cannot open the store in PrepareHttpClientAndHandler():

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied. at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at SwishApi.Client.PrepareHttpClientAndHandler(HttpClientHandler& handler, HttpClient& client)

If I don't bother storing the "root certificates" I cannot communicate at all:

Authentication failed because the remote party sent a TLS alert HandshakeFailure

Does anyone have any other plan than to add the "root certs" to the intermediate certificate store of "local computer"?

RickardPettersson commented 2 years ago

Sounds not good but if you try the new code that now exist where you put in the certificate as a stream and set UseMachineKeySet on the ClientCertificate object then its not using the store instead loading the cert from stream and then use the password passed in the ClientCertificate object.

Not sure if it going to work but its newest code fix for Azure problem that i not tested yet by my self.

shogedal commented 2 years ago

I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this

            var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet);
            handler.ClientCertificates.Add(cert);

And it still doesn't work unless the "root certs" are in place.

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace

RickardPettersson commented 2 years ago

Tested to run latest code?

shogedal commented 2 years ago

Unfortunately I have not had the time, but I finally got my Web Hotel to fix the "load user profile" issue that was still to fix. Previously the imported the SEB certificates to the cert store, but that wasn't enough. We're up and running, so I will not take time to elaborate further right now.

Vänligen, Stefan Hogedal

+46 704-456560

Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.

Hämta Outlook for Androidhttps://aka.ms/AAb9ysg


From: Rickard Pettersson @.> Sent: Thursday, October 20, 2022 10:57:22 AM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)

Tested to run latest code?

— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1285176421&data=05%7C01%7C%7C4a12782062184d14bcc308dab2791a17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018530455295717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wrjKttYrbpfhMTqxX0Sa%2BEyzy9goSZti12J05akdWSw%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQTSBJCBS46GOFT5WVDWEECPFANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C4a12782062184d14bcc308dab2791a17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018530455295717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LLUJIskNoLQQVWqAgI8ZRsw%2BiJisebr4txDi%2BccCwFs%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

linus-dev commented 2 years ago

I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this

            var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet);
            handler.ClientCertificates.Add(cert);

And it still doesn't work unless the "root certs" are in place.

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace

Hi,

I have the same issue as you. Could you please explain a bit more how you solved it? And by "root certs", is this the cert I get from swish called "Swish_TLS_RootCA.pem"? Also, what web hotel do you use? Thanks!

shogedal commented 2 years ago

I struggled a lot with my Web hotel Loopia and "googling". In the end I think that not only did I need the two SEB certificates installed on the server but also having them fix the apppool to use an account with a profile.

Vänligen, Stefan Hogedal

+46 704-456560

Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.

Hämta Outlook for Androidhttps://aka.ms/AAb9ysg


From: linus-dev @.> Sent: Wednesday, November 30, 2022 7:02:00 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)

I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this

        var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet);

        handler.ClientCertificates.Add(cert);

And it still doesn't work unless the "root certs" are in place.

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace

Hi,

I have the same issue as you. Could you please explain a bit more how you solved it? And by "root certs", is this the cert I get from swish called "Swish_TLS_RootCA.pem"? Also, what web hotel do you use? Thanks!

— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1332542413&data=05%7C01%7C%7C80892cba93a84e44a0b908dad2fcfae2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054281233799961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vhyDRdjcSbfuMCTLuRmAnbsNvBmHuuavk%2Fkr2yPcJm0%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQRCKUFW3YM4W3WWZELWK6JBRANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C80892cba93a84e44a0b908dad2fcfae2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054281233799961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wSxvB4B60J2KgjDjaWTkXMJce30S5cKcZ3avgyxAMxs%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

linus-dev commented 2 years ago

Ok. I've reached out to my web hotel, hopefully they are able to do the same. When I load my cert it throws an error Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.

Could this be caused by the app pool? I have tried with normal string password and SecureString. I have verified that the value of the password is "swish" so I don't see any other cause for this.

shogedal commented 2 years ago

I am not 100% sure but I think I got that message as a result of some other miss. You know that it's only with the demo cert the password is that one?

Vänligen, Stefan Hogedal

+46 704-456560

Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.

Hämta Outlook for Androidhttps://aka.ms/AAb9ysg


From: linus-dev @.> Sent: Wednesday, November 30, 2022 9:52:09 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)

Ok. I've reached out to my web hotel, hopefully they are able to do the same. When I load my cert it throws an error Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.

Could this be caused by the app pool? I have tried with normal string password and SecureString. I have verified that the value of the password is "swish" so I don't see any other cause for this.

— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1332721532&data=05%7C01%7C%7Cbd6b9c7ce3974fc9168208dad314c025%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054383314752930%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EvElIz7AvBuuOdrtilvCi0XseGnrPgGFEYVnDyAE%2FhA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQRGPOCTOJ5QMBEBSP3WK647TANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7Cbd6b9c7ce3974fc9168208dad314c025%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054383314752930%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvx1Xgd23XxHWkp2E384PaHDipgrkIcZ7Xl97X2osTk%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

linus-dev commented 2 years ago

I followed this guide: https://github.com/RickardPettersson/swish-api-csharp/wiki/Hantera-certifikat Jsut for simplicity, I inserted "swish" as the password in the last step when creating a .p12-file. I assume this is the password I should use in my application.

RickardPettersson commented 1 year ago

@linus-dev did you got it to work?

I was now setup a client´s certificate and got this problem, i tested recreate the cert 5 times now to see so i am not doing something wrong or but i getting "The specified network password is not correct.". I tried to set a simple password as swish i tested to do a harder but no different when the code try to load from the .p12 file with password i set its get the error.

It is in the .net code i getting it but i thinking if GetSwish AB done some changes to the cert when you upload the CSR file and ghet the pem file...

shogedal commented 1 year ago

I'm "off line" but I think I saw that message during my struggle and that it meant something else than choosing the right password.

Vänligen, Stefan Hogedal

+46 704-456560

Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.

Hämta Outlook for Androidhttps://aka.ms/AAb9ysg


From: Rickard Pettersson @.> Sent: Thursday, December 8, 2022 5:58:44 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)

@linus-devhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinus-dev&data=05%7C01%7C%7C1465c0e50d0e49806b8f08dad93d783b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638061155279632877%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cyXoZnneNko%2BTqTkG7WiQ6lIuBK9lcyg84SsnG3Z9DY%3D&reserved=0 did you got it to work?

I was now setup a client´s certificate and got this problem, i tested recreate the cert 5 times now to see so i am not doing something wrong or but i getting "The specified network password is not correct.". I tried to set a simple password as swish i tested to do a harder but no different when the code try to load from the .p12 file with password i set its get the error.

It is in the .net code i getting it but i thinking if GetSwish AB done some changes to the cert when you upload the CSR file and ghet the pem file...

— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1343019294&data=05%7C01%7C%7C1465c0e50d0e49806b8f08dad93d783b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638061155279632877%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yRBsfaiU7oytiut48eaxYbgDwphTtodW34VnaeLOWZA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQU3ZLVDCTXC6NMM2RTWMIHUJANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C1465c0e50d0e49806b8f08dad93d783b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638061155279632877%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bv4z3fHhxjCb3WlTRDBqQgo9BWo7cwrsye70qQqH7G0%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

linus-dev commented 1 year ago

@RickardPettersson No I did not... I haven't tried it on my local machine yet though. Maybe it could be some kind of permission issue? Hopefully I can try a little bit more when I have more time. If Swish made any changes I would be happy to know!

RickardPettersson commented 1 year ago

This is very intresting, i have now tested using openssl both 32-bit and 64-bit also used java keytool that i got a tutorial from GetSwish AB with instruction for and i used the windows tool they saying to use on the certifikat portal and then openssl to generate p12 file.

I have also tested all different generated certifikates both in .Net 7, .Net 6 and .Net 4.5.2 and all give me the "network password is failed" error message.

I dont know what have happend and why this is, starting to think if there is needed a older windows open ssl version or something.

I have personally got this to work with my wiki tutorial for like 2 years ago or what it can be but now its totally failing.

RickardPettersson commented 1 year ago

After some more reasearch and more testing i tested OpenSSL v1.1.1s and got it to work, no more "network password is failed" message, i updated the wiki for handling certifikate.

RickardPettersson commented 1 year ago

Can we close this issue?

shogedal commented 1 year ago

I have found a solution in configuring IIS. I wonder if there is one that is just about creating the cert file in another way, but let's close this.

Vänligen, Stefan Hogedal

+46 704-456560

Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.

Hämta Outlook for Androidhttps://aka.ms/AAb9ysg


From: Rickard Pettersson @.> Sent: Friday, May 12, 2023 3:02:14 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)

Can we close this issue?

— Reply to this email directly, view it on GitHubhttps://github.com/RickardPettersson/swish-api-csharp/issues/24#issuecomment-1545711211, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXWEPQWNLEZSKQHXHZATTJTXFYYFNANCNFSM6AAAAAAQXWNTYU. You are receiving this because you authored the thread.Message ID: @.***>