Closed shogedal closed 1 year ago
RickardPettersson
commented
1 year ago Sounds not good but if you try the new code that now exist where you put in the certificate as a stream and set UseMachineKeySet on the ClientCertificate object then its not using the store instead loading the cert from stream and then use the password passed in the ClientCertificate object.
Not sure if it going to work but its newest code fix for Azure problem that i not tested yet by my self.
shogedal
commented
1 year ago I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this
var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet);
handler.ClientCertificates.Add(cert);And it still doesn't work unless the "root certs" are in place.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace
RickardPettersson
commented
1 year ago Tested to run latest code?
shogedal
commented
1 year ago Unfortunately I have not had the time, but I finally got my Web Hotel to fix the "load user profile" issue that was still to fix. Previously the imported the SEB certificates to the cert store, but that wasn't enough. We're up and running, so I will not take time to elaborate further right now.
Vänligen, Stefan Hogedal
+46 704-456560
Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.
Hämta Outlook for Androidhttps://aka.ms/AAb9ysg
From: Rickard Pettersson @.> Sent: Thursday, October 20, 2022 10:57:22 AM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)
Tested to run latest code?
— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1285176421&data=05%7C01%7C%7C4a12782062184d14bcc308dab2791a17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018530455295717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wrjKttYrbpfhMTqxX0Sa%2BEyzy9goSZti12J05akdWSw%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQTSBJCBS46GOFT5WVDWEECPFANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C4a12782062184d14bcc308dab2791a17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638018530455295717%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LLUJIskNoLQQVWqAgI8ZRsw%2BiJisebr4txDi%2BccCwFs%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>
linus-dev
commented
1 year ago I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this
var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet); handler.ClientCertificates.Add(cert);And it still doesn't work unless the "root certs" are in place.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace
Hi,
I have the same issue as you. Could you please explain a bit more how you solved it? And by "root certs", is this the cert I get from swish called "Swish_TLS_RootCA.pem"? Also, what web hotel do you use? Thanks!
shogedal
commented
1 year ago I struggled a lot with my Web hotel Loopia and "googling". In the end I think that not only did I need the two SEB certificates installed on the server but also having them fix the apppool to use an account with a profile.
Vänligen, Stefan Hogedal
+46 704-456560
Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.
Hämta Outlook for Androidhttps://aka.ms/AAb9ysg
From: linus-dev @.> Sent: Wednesday, November 30, 2022 7:02:00 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)
I haven't upgrade to the latest version in my project, but I changed PrepareHttpClientAndHandler to just do this
var cert = new X509Certificate2(_certificate.Content, _certificate.Password, X509KeyStorageFlags.MachineKeySet);
handler.ClientCertificates.Add(cert);And it still doesn't work unless the "root certs" are in place.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'. ---> System.ComponentModel.Win32Exception (0x80090326): Det mottagna meddelandet var oväntat eller felaktigt formaterat. --- End of inner exception stack trace
Hi,
I have the same issue as you. Could you please explain a bit more how you solved it? And by "root certs", is this the cert I get from swish called "Swish_TLS_RootCA.pem"? Also, what web hotel do you use? Thanks!
— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1332542413&data=05%7C01%7C%7C80892cba93a84e44a0b908dad2fcfae2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054281233799961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vhyDRdjcSbfuMCTLuRmAnbsNvBmHuuavk%2Fkr2yPcJm0%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQRCKUFW3YM4W3WWZELWK6JBRANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C80892cba93a84e44a0b908dad2fcfae2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054281233799961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wSxvB4B60J2KgjDjaWTkXMJce30S5cKcZ3avgyxAMxs%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>
linus-dev
commented
1 year ago Ok. I've reached out to my web hotel, hopefully they are able to do the same.
When I load my cert it throws an error
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.
Could this be caused by the app pool? I have tried with normal string password and SecureString. I have verified that the value of the password is "swish" so I don't see any other cause for this.
shogedal
commented
1 year ago I am not 100% sure but I think I got that message as a result of some other miss. You know that it's only with the demo cert the password is that one?
Vänligen, Stefan Hogedal
+46 704-456560
Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.
Hämta Outlook for Androidhttps://aka.ms/AAb9ysg
From: linus-dev @.> Sent: Wednesday, November 30, 2022 9:52:09 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)
Ok. I've reached out to my web hotel, hopefully they are able to do the same. When I load my cert it throws an error Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.
Could this be caused by the app pool? I have tried with normal string password and SecureString. I have verified that the value of the password is "swish" so I don't see any other cause for this.
— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1332721532&data=05%7C01%7C%7Cbd6b9c7ce3974fc9168208dad314c025%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054383314752930%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EvElIz7AvBuuOdrtilvCi0XseGnrPgGFEYVnDyAE%2FhA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQRGPOCTOJ5QMBEBSP3WK647TANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7Cbd6b9c7ce3974fc9168208dad314c025%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638054383314752930%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvx1Xgd23XxHWkp2E384PaHDipgrkIcZ7Xl97X2osTk%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>
linus-dev
commented
1 year ago I followed this guide: https://github.com/RickardPettersson/swish-api-csharp/wiki/Hantera-certifikat Jsut for simplicity, I inserted "swish" as the password in the last step when creating a .p12-file. I assume this is the password I should use in my application.
RickardPettersson
commented
1 year ago @linus-dev did you got it to work?
I was now setup a client´s certificate and got this problem, i tested recreate the cert 5 times now to see so i am not doing something wrong or but i getting "The specified network password is not correct.". I tried to set a simple password as swish i tested to do a harder but no different when the code try to load from the .p12 file with password i set its get the error.
It is in the .net code i getting it but i thinking if GetSwish AB done some changes to the cert when you upload the CSR file and ghet the pem file...
shogedal
commented
1 year ago I'm "off line" but I think I saw that message during my struggle and that it meant something else than choosing the right password.
Vänligen, Stefan Hogedal
+46 704-456560
Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.
Hämta Outlook for Androidhttps://aka.ms/AAb9ysg
From: Rickard Pettersson @.> Sent: Thursday, December 8, 2022 5:58:44 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)
I was now setup a client´s certificate and got this problem, i tested recreate the cert 5 times now to see so i am not doing something wrong or but i getting "The specified network password is not correct.". I tried to set a simple password as swish i tested to do a harder but no different when the code try to load from the .p12 file with password i set its get the error.
It is in the .net code i getting it but i thinking if GetSwish AB done some changes to the cert when you upload the CSR file and ghet the pem file...
— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRickardPettersson%2Fswish-api-csharp%2Fissues%2F24%23issuecomment-1343019294&data=05%7C01%7C%7C1465c0e50d0e49806b8f08dad93d783b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638061155279632877%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yRBsfaiU7oytiut48eaxYbgDwphTtodW34VnaeLOWZA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAXWEPQU3ZLVDCTXC6NMM2RTWMIHUJANCNFSM6AAAAAAQXWNTYU&data=05%7C01%7C%7C1465c0e50d0e49806b8f08dad93d783b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638061155279632877%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bv4z3fHhxjCb3WlTRDBqQgo9BWo7cwrsye70qQqH7G0%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>
linus-dev
commented
1 year ago @RickardPettersson No I did not... I haven't tried it on my local machine yet though. Maybe it could be some kind of permission issue? Hopefully I can try a little bit more when I have more time. If Swish made any changes I would be happy to know!
RickardPettersson
commented
1 year ago This is very intresting, i have now tested using openssl both 32-bit and 64-bit also used java keytool that i got a tutorial from GetSwish AB with instruction for and i used the windows tool they saying to use on the certifikat portal and then openssl to generate p12 file.
I have also tested all different generated certifikates both in .Net 7, .Net 6 and .Net 4.5.2 and all give me the "network password is failed" error message.
I dont know what have happend and why this is, starting to think if there is needed a older windows open ssl version or something.
I have personally got this to work with my wiki tutorial for like 2 years ago or what it can be but now its totally failing.
RickardPettersson
commented
1 year ago After some more reasearch and more testing i tested OpenSSL v1.1.1s and got it to work, no more "network password is failed" message, i updated the wiki for handling certifikate.
RickardPettersson
commented
1 year ago Can we close this issue?
shogedal
commented
1 year ago I have found a solution in configuring IIS. I wonder if there is one that is just about creating the cert file in another way, but let's close this.
Vänligen, Stefan Hogedal
+46 704-456560
Om meddelandet känns kort eller obegripligt kan det bero på att det författades på en Samsung A52a.
Hämta Outlook for Androidhttps://aka.ms/AAb9ysg
From: Rickard Pettersson @.> Sent: Friday, May 12, 2023 3:02:14 PM To: RickardPettersson/swish-api-csharp @.> Cc: Stefan Hogedal @.>; Author @.> Subject: Re: [RickardPettersson/swish-api-csharp] Problem with opening cert store in IIS - works in IIS Express (Issue #24)
Can we close this issue?
— Reply to this email directly, view it on GitHubhttps://github.com/RickardPettersson/swish-api-csharp/issues/24#issuecomment-1545711211, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXWEPQWNLEZSKQHXHZATTJTXFYYFNANCNFSM6AAAAAAQXWNTYU. You are receiving this because you authored the thread.Message ID: @.***>
I run my IIS app pool with the ApplicationPoolIdentity and it cannot open the store in PrepareHttpClientAndHandler():
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied. at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags) at SwishApi.Client.PrepareHttpClientAndHandler(HttpClientHandler& handler, HttpClient& client)
If I don't bother storing the "root certificates" I cannot communicate at all:
Authentication failed because the remote party sent a TLS alert HandshakeFailure
Does anyone have any other plan than to add the "root certs" to the intermediate certificate store of "local computer"?