How to access Azure Web App certs from Container - azure-web-app-service

I have created a api app that runs in a container hosted in a Azure Web App service. This app needs to access to the certs that have been loaded into the azure web app service (using TLS/SSL settings).
I have tried setting the WEBSITE_LOAD_CERTIFICATES to *, but not sure that this has worked.
So how do I get access to the certs, and how can I confirm that they are avialable in my container. (Or do I have to manually load the cert into my container)

About your first question: "not sure that this has worked".
It is achievable to set the WEBSITE_LOAD_CERTIFICATES to *, see here:
The WEBSITE_LOAD_CERTIFICATES app settings makes the specified
certificates accessible to your Windows or Linux container apps
(including built-in Linux containers) as files.
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value
set to the thumbprint of the certificate will make it accessible to
your web application. You can have multiple comma-separated thumbprint
values or can set this value to “ * “ (without quotes) in which case
all your certificates will be loaded to your web applications personal
certificate store.
About "how can I confirm that they are avialable in my container?"
In addition, Windows Server Core containers load the certificates into
the certificate store automatically, in LocalMachine\My. To load the
certificates, follow the same pattern as Load certificate in Windows
apps. For Windows Nano based containers, use the file paths provided
above to Load the certificate directly from file.
The official also offers a C# code shows how to load a public certificate in a Linux app.
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
...
var bytes = File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
var cert = new X509Certificate2(bytes);
// Use the loaded certificate
Refer to:
Load certificate in Linux/Windows containers
Using Certificates in Azure Websites Applications

Related

Azure - Linux WebApp - Root certificate for chain

I've got my public cer certificates attached to my web app as listed here:
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal
The third party have provided both a certificate and root certificate for use.
Our web app is a Linux version - I cant find how to add certificate chain or place the certificate in any location except currentuser/my.
Anyone able to help out? Let me know if you need more details. I've hunted this site and there isnt a question thats a duplicate.....
We can load the Private / root trusted certifacte to Azure Linux from the code
As per this MSDoc,use the below code snippet to load a private certificate in a Linux app.
using System; using System.IO; using
System.Security.Cryptography.X509Certificates;
...
var bytes = File.ReadAllBytes("/var/ssl/private/<thumbprint>.p12");
var cert = new X509Certificate2(bytes);
// Use the loaded certificate
Add WEBSITE_LOAD_CERTIFICATES in Application Settings under the Configuration Section of the deployed Azure Linux Web App
Please refer Using Certificates in Azure Websites Applications ,Root CA on App Service and SO Thread for more information

Cannot connect to external https from Azure SF due to untrusted certificate

I have an application, deployed in Azure Service Fabric.
The application connects to external web service which has an untrusted SSL certificate and fails.
I solved problem by implementing custom cert validation logic in "ServerCertificateCustomValidationCallback" method of HttpClient, however this is not an ideal solution.
How to install external SSL certificate into the trusted store on VMs in VMSS, so that any app in ASF can consume external web services without additional efforts?
Additional notes
Certificate contains no private key, so it cannot be imported into Azure key vault and used in ARM template (or I didn't find a way how to achieve this)
Certificate cannot be installed manually via RD, because this doesn't support autoscaling
It is possible to import .pfx certificate without password into Azure Key Valut. Certificate should be imported into Secrets (not into Certificates). Azure portal says, that this feature is deprecated but it works.
When certificate is in key valut, then ARM template can be used to deploy it onto VMs.
To get pfx certificates, I downloaded root and intermediate certificates in browser. Then converted .cer to .pfx via small .net console, written by myself - check X509Certificate class, it has all necessary methods.

Loading a TLS certificate uploaded to the Azure portal into a Linux app service container

For some time we've had an ASP.NET Core web app running on an Azure App Service. As part of upgrading to netcoreapp2.2 we've decided to Dockerize it and run it on a Linux container, still in an app service.
One thing this app does is load in a TLS certificate for token signing. Previously this certificate was uploaded to the app service and the application would find it by thumbprint in a new X509Store(StoreName.My, StoreLocation.CurrentUser). This could be enabled by adding a configuration setting WEBSITE_LOAD_CERTIFICATES with value set to the certificate's thumbprint.
Having tried the same approach with a Linux container we're finding the certificate doesn't exist in the certificate store.
I found this issue on Github from earlier this year which suggests it's just not possible on Linux. Is this still the case? If so, does anyone know a work-around which doesn't involve storing the certificate itself in the image?
The feature now works on Linux.
Load certificate in Linux apps
The WEBSITE_LOAD_CERTIFICATES app settings makes the specified certificates accessible to your Linux hosted apps (including custom container apps) as files. The files are found under the following directories:
Private certificates - /var/ssl/private ( .p12 files)
Public certificates - /var/ssl/certs ( .der files)
The certificate file names are the certificate thumbprints. The following C# code shows how to load a public certificate in a Linux app.
using System;
using System.Security.Cryptography.X509Certificates;
var bytes = System.IO.File.ReadAllBytes("/var/ssl/certs/<thumbprint>.der");
var cert = new X509Certificate2(bytes);

Azure - Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost?

Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost? They seek Certificates .cer and .pfx. I have uplaoded under Azure panel and unser my service -> SSL Settings.
When I am trying to make a connection from my local machine for Service API it still giving me exception Certificate not found. I am using PHP SDK for Azure. [package : "microsoft/windowsazure": "^0.5"]
can someone please guide me how to make conneciton from local and what if I want to make it in production?
Was using wrong format of certificates, it needs .pem file absolute path. .cer must have to be imported under your Subscription Management certificates in Azure portal

ID1024 The configuration property value is not valid error in Azure WebSite

I am trying to consume the certificate uploaded in azure website(not webrole) in my web app using following config
<microsoft.identityModel>
<!-- Service Configuration -->
<service>
<serviceCertificate>
<certificateReference findValue="2696C50B72CB368AEB11DE3B23CD226252A1BFD" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
</service>
Code works fine on local system. But I am recieving error when deployed to azure website.
ID1024 The configuration property value is not valid
ID1025 Cannot find a unique certificate that matches the criteria
I then tried to browse all the certificates in my azure website(using code). But the certificate list does not contain my uploaded certificate.
Certificate is uploaded and can be seen in azure portal.
Custom domain is mapped and the uploaded certficiate is used against the domain.
But somehow my web app is unable to find the certificate. I tried all possible combination of StoreName and StoreLocation but in vain.
I think there may be some confusion on what the certificates you upload via the Configure tab for Websites are used for. Currently the certificates loaded there are ONLY used for SSL.
When looking at the little help icon next to the certificates section on the configure tab the tooltip states the following:
"This section lets you manage SSL certificates that you can bind to your custom domain names. Binding an SSL certificate to your custom domain name will allow your end users to access your site over HTTPS."
Windows Azure Web Sites exist at a process level, meaning that they can be started up on one machine but move around as the processes go up and down. If you aren't familiar with this I'd suggest reading up on how the hosting model works for Web Sites. Here is an article that covers it: Windows Azure Web Sites - A New Hosting Model for Windows Azure (full disclosure: I wrote the article).
Loading the certificate here I do not believe adds the certificate to any of the stores on the machines your web site runs on. Windows Azure would need to ensure that the cert is always on the machine the site is deployed to and since this is only at a process level and can change frequently (unless you are using standard) it doesn't make sense. The SSL certs are handled differently and as far as I know aren't really deployed to each machine.
As far as I know in order for you to load a certificate and use it you'll either need to look at a web role where loaded certs from the portal ARE placed into the store on the VM or look to see if you can load the certificate manually in code and ship the cert as content on your site (which seems a little less secure to me). I could just be overlooking an option though.

Resources