-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The site crashes because of Keyset does not exist #7137
Comments
/cc @kevinchalet |
I'm not sure if this is the cause but I found some references: ReferencesKudu team: According to this NOTE from the kudu team: https://github.com/projectkudu/kudu/wiki/Configurable-settings#add-user-profile-support-for-a-site
Microsoft: It is also mentioned in the Microsoft's documentation https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#load-certificate-from-file
Community blogs/discussions:
In summary (my assumptions)
Workaround 1:
Workaround 2:
Actually, I don't really understand why the "Load user profile" is disabled by default and I'm still able to read the pfx file successfully and randomly fail. It should be a failure all the time. Anyway, I will try the |
Beside the X509 certificate. From my point of view, The x509 certificate is a bit complex for a simple site. |
@hung-doan I initially opted for X.509 certificates as they are perfect containers for private keys. Generation and storage works generally well, but certain "hostile" environments like Azure's free instances indeed make using X.509 certificates a real PITA. Moving to raw RSA keys instead of X.509 RSA certificates is certainly an option. Would you like to send a PR? |
Note: it may also be a good opportunity to store the keys in the database rather than on the file system. Note 2: keep using this method to ensure we stay "user-profile-loading-disabled"-friendly: OrchardCore/src/OrchardCore.Modules/OrchardCore.OpenId/Services/OpenIdServerService.cs Lines 583 to 605 in 954a90d
|
@deanmarcussen is already working on a feature/service to store secret in various stores. Including certificates. Database will be supported. So this might be the solution to use this service instead of adding a custom way here. This way you get the UI and deployment steps of these secrets for free. |
If anybody stumbles on this: indeed, setting the |
Wouldn't we want to simply store the certificates (at least for now) in the Azure Data Protection storage, if it's enabled? @kevinchalet what do you think? |
@Piedone I'm not sure how that would work: that module is for storing ASP.NET Core Data Protection master keys on Azure (it's based on |
I mean, we could just store the certificates in the same Blob Storage account/container, or similarly in Blob Storage. Basically, we could have something like |
Certainly, but how would that solve the issue discussed in this thread? The issue isn't about where the certificates are stored, it's about how they are loaded by the server OS. |
Yeah, sorry, I mixed things in here, because in our case, the original issue here is tightly connected to the certificates being wiped out on server reset. But having its own issue is better: #13205 |
It's worth mentioning that the recommended approach is to create the signing/encryption certificates yourself and store them in the machine store, instead of relying on the automatic generation stuff (once the certificates are added, you can then select them using the interactive dropdowns via the UI). Also, using raw RSA keys instead of RSA keys embedded in X.509 certificates (for which we tend to see fewer issues in hostile environments) in conjunction with #7891 might be a better approach than making the storage of the current feature replaceable. |
I see, thanks! |
About the application
Problem
[ERR] An exception was thrown attempting to execute the error handler. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
NOTE:
Exceptions
Exception 1
Exception 2
Any thoughts and suggestion will be appreciated, thanks everyone!
The text was updated successfully, but these errors were encountered: