Azure Cloud Service unable to find Certificate from local machine - azure

Our APIs are exposed through Azure Cloud Services (Web Role). We use certificate uploaded to Cloud Service for encryption of data stored in backend. During certificate rotation, We uploaded new certificate by updating *.CSCFG file
Our CSCFG
<Certificate name="encryptcertificatethumbprint" thumbprint="NewThumbprint" thumbprintAlgorithm="sha1" />
When we login into Portal > Cloud Service > Certificates Tab. We could see both Old Certificate and New certificate.
Unfortunately some of the records in backend system are not re-encrypted with new rotated certificate. When our App reads data from backend system, it fails to decrypt with message "The secret could not be decrypted. Check that certificate with serial number 'XXXXX-XXX' is installed. The inner cryptographic exception: 'Keyset does not exist" since old certificate is not present in webrole instance.
Instead of doing another deployment with both certificates, we remote into web role instance and installed old certificate under Personal > Certificate
After installing old certificate, Application still unable to find certificate by thumbprint in Local Machine certificate store. We tried restarting webrole, still application unable to pick certificate.
Few Questions, can anyone help (without any deployment to address this issue)
What will be certificate location on webrole instance, where we can upload certificate. Our logic of certificate search based on Serial number in LocalMachine and then also Current User. Though we uploaded certificate in LocalMachine, Still webrole unable to pickup certificate
What will be Current User certificate store i.e. what will be account on which webrole runs
If the certificate gets expired, will certificate be returned ?

I haven't tried to accomplish your specific goal, but this information may help get you closer.
The Azure guest agent installs certificates as the system account in the CurrentUser store, so any interactions you want to do with those certs will need to be as the system account. To do this you can download Sysinternals Suite and run psexec to launch a cmd prompt under System context. Then in that new cmd prompt you can run certutil, mmc.exe, etc:
psexec -i -d -s cmd
certutil -store -user My
You should be aware that whatever you do (ie. installing a new certificate) will be temporary.
See https://learn.microsoft.com/en-us/archive/blogs/kwill/windows-azure-disk-partition-preservation for information about when the Windows partition (D drive) will be rebuilt, meaning you will lose your manually installed certificates.
Unexpected role recycles (ie. WaHostBootstrapper exits or WaIISHost/WaWorkerHost crashes) will cause the guest agent to uninstall and then reinstall all certificates.

Issue got resolved. After giving permission to "Network Service".
Right Click on Certificate > All Task > Manage Private Key > Add Network Service Account to get access to certificate.

Related

Service account cannot read certificates from local computer store

We have a worker process running in IIS (Windows Server 2019) that makes an https request to a kafka resource in AWS in the background. In order for this process to work, we have to import certificates from Amazon into the local computer cert store so that the ssl connection can be established and it will trust the certificate presented from the resource in AWS. We have imported the cert chain and gotten this to work with the following caveats:
The service account specified for the AppPool identity has to be a local admin
OR
We have to run some process, ANY process (other than w3wp.exe that's already running), as the service account.
I've dealt quite a bit with certs, permissions, etc, but what is really odd about this one is that if I open notepad, for example, as the service account, then as long as notepad is running the process works - meaning it reads the cert and is able to establish the ssl connection. If I close notepad, the process then fails, and I get the following error:
ssl://b-2.kafkamsk.abc123.c2.kafka.us-west-2.amazonaws.com:9094/bootstrap: SSL handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (add broker's CA certificate to the Windows Root certificate store) (after 72ms in state CONNECT)
(text in the URL replaced with abc123 for obfuscation)
Note that we don't need to access the private key of the cert, we simply need to read the cert from the cert store. The CA cert has been imported into "Trusted Root Certification Authorities." The intermediate cert has been imported into "Intermediate Certification Authorities" and the leaf cert has been imported into the personal store - all of these in the Local Computer cert store. And again, it all works if we simply login and run some process as the service account, even without it being a local admin.
I've run sysinternals procmon while executing the process that fails, and see several access denied attempts on HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates, and those do not appear if I have notepad running as the service account when attempting the process. I've given explicit permissions to the service account on those registry keys, but it has not helped.
For obvious security reasons, we don't want our service account to be a local admin on the box, and for operations/administration reasons we don't want to rely on having some other process running as this account just to make this work.
It probably works when notepad is run as its triggering the user profile to be loaded, terminating notepad causes the profile to be unloaded. If you were to set LoadUserProfile to true on the app pool it would probably work - BUT this is not a good idea.
I think the proper solution is related to the permissions for IIS AppPool\AppPoolName on the certificate itself (which boils down to a file on disk with an ACL somewhere). Grant the app pool rights via the Certificates MMC or powershell and it should work.
if you download the latest .pem file from https://curl.se/docs/caextract.html, you can specify that file in the code with:
"ssl.ca.location",caCertLocation
Event Hubs Demo from Azure here:
https://github.com/Azure/azure-event-hubs-for-kafka/blob/master/quickstart/dotnet/EventHubsForKafkaSample/Program.cs

Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

I am creating a VPN in Azure, and created self-signed certificate in the following places:
Local Computer:
Personal/Certificates: Issued To: FQDN name is the certificate's name
Trusted Root Certification Authorities/Certificates:
manually copied from Personal
I have configured the VPN in Azure and it is downloaded and extracted and the vpn client is installed successfully, however, when I run the client I received the following error:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
Screenshot:
The error seems suggesting the certificate is NOT found, does the name matter?
Should I change the cert's name from Azurecert to FQDN which is the name in my local computer?
Thank you for your help in advance.
UPDATE:
I removed the existing certification in Azure's configuration and re-added back with the same FQDN name shown in local computer's certificates, I redownloaded the client, I removed the existing installed vpn client and re-installed the new one, I receive the same error message. So it seems name is not the root cause?
UPDATE2:
The procedure I've followed:
Create Self Signed Certificate with the FQDN name on local laptop;
New-SelfSignedCertificate –DnsName NV-RXIE.novantas.pri -CertStoreLocation “cert:\LocalMachine\My”
Add the self-signed certificate as a trusted certificate authority, Copy the new cert to Trusted Root Certificate Authorities
export the cert and open it, copy the cert part and paste into the
VPN setting – Root certificates, Public Certificate Data
Download the VPN client and install it on laptop, run it
Connect, failed with:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.
This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates.
You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.
In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.
To fix the Error 798, I did the following:
reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
remove the VPN configuration from my pc (win10)
reboot pc (just to be safe)
download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
Once done, I could then connect without any issues. Tested on several different users.
My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.
Hope that helps.
In addition to the answer by Nancy Xiong:
If you are still having problems with this error you can try the following
Run certmgr.msc
Go to Personal->Certificates
Right-click your certificate
All Tasks->Export
Choose Yes: Export private key
Accept default options until you reach a step where you must enter a password
Enter a password, and continue until you have exported your certificate
Repeat this process if you have more than one certificate
Locate your certificates in the Windows file explorer
Right-click->Install
Select Current User for the Store Location
Accept default options, and enter the certificate password when prompted
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
This should now work.
In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps
Boot your computer into BIOS Configuration
Disabled any settings for Intel VTX and Intel VTD
Restart your computer
Retry the steps above
In addition to the answer by Peter Morris, I have did the below mentioned steps which helped in resolving this issue.
Delete the client certificate from your PC. This can be done by searching Manage User Certificates right click on the certificate -> Delete
Now, Reinstall your certificate, Accept default options, and enter the certificate password when prompted.
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
Accept all the default options which comes next and click finish.
The above steps helped me to resolve this issue
For me, I got this error because my previous cert has expired after 1 year.
I just deleted the old cert and followed this to create a new one:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Can't deploy to secured Service Fabric cluster from VS

I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:
This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.

The certificate could not be deleted from cloud service XXX

I'm trying to remove a certificate (via the Management Portal) that is due to expire on 16/07/2014 days and I'm getting this error:
The certificate I'm trying to delete was automatically generated 'CN=Windows Azure Tools' and was used for Remote Access.
I also tried to configure the cloud services to use new certificates, but still no success.
Looked at Fiddlers log and indeed there in an internal server error:
My questions are:
Is there any way I can delete this certificate?
If I can't delete it, what happens when it expires?
What I really want to avoid is to have to redeploy the production services because of this certificate.
Florin, you cannot delete a certificate in production use, but you have two options for this issue:
The easiest option is to just ignore it. The RDP cert is only used for password encryption and it doesn't matter if the cert is expired or not since Azure does not check the expiration date when doing the encryption/decryption.
You can upload a new certificate and then modify the RDP configuration to use that new certificate. After this you can delete the old certificate. This is essentially the same process you would use for an HTTPS certificate.

Azure Cloud Service deployment - Azure can't validate SSL certificate

When trying to deploy my MVC application to Azure Cloud Services, deployment fails with the error "Azure failed to validate the specified certificate". As far as I can tell, I've set everything up correctly.
My cloud service is sitting in Azure at myapp.cloudapp.net. I've set up an A record on my own domain myapp#mydomain.com to point to the Azure cloud service. This works as expected.
Next in IIS on the Azure VM, I created a certificate request for myapp#mydomain.com, submitted this to my chosen CA and got a .crt certificate from them. Back in IIS, I completed the Certificate Request using the .crt certificate and placed into the Personal certificate store. I then exported a .pfx certificate from IIS.
I used the .pfx certificate to upload to the Azure portal as shown.
I also installed the .pfx certificate into the Personal certificate store on a developer machine used for Azure deployment.
In Visual Studio 2012, for the webrole, I selected my installed .pfx certificate and set it as the certificate for the HTTPS endpoint.
At this point I then attempt to deploy the site to Azure. After a while, the deployment fails in Visual Studio with the error "Azure failed to validate the specified certificate". Not quite sure where to go from there.
Since a previous version of the site is running in IIS on the Azure VM, manually editing the SSL binding to use the uploaded certificate works correctly but the deployment issue still remains.
In the end I opened a support ticket with the Azure team and over the course of a few hours we tracked down the issue to a missing certificate for the remote desktop add on to the web role.
The certificate thumbprint given by the team was one that wasn't present in the portal nor was it ever part of my solution. Unfortunately, this detail was only given by the team and isn't displayed when the deployment failed.
However, the solution was to remove the remote desktop add on, redeploy the service and re-enable remote desktop.
We have now been able to deploy using an HTTPS endpoint with no further issues.
Here is what you need to do:
1) Open the command prompt, type certmgr.msc
2) This will open the certificate manager on your machine.
3) Open Personal folder and try to locate the certificate.
4) Right click and select export.
5) Export the certificate with the private key and a password.
6) Go to Azure portal and re-upload the certificate.
7) After a successful upload to the certificate on cloud service, re-publish from VS.

Resources