When trying to deploy my MVC application to Azure Cloud Services, deployment fails with the error "Azure failed to validate the specified certificate". As far as I can tell, I've set everything up correctly.
My cloud service is sitting in Azure at myapp.cloudapp.net. I've set up an A record on my own domain myapp#mydomain.com to point to the Azure cloud service. This works as expected.
Next in IIS on the Azure VM, I created a certificate request for myapp#mydomain.com, submitted this to my chosen CA and got a .crt certificate from them. Back in IIS, I completed the Certificate Request using the .crt certificate and placed into the Personal certificate store. I then exported a .pfx certificate from IIS.
I used the .pfx certificate to upload to the Azure portal as shown.
I also installed the .pfx certificate into the Personal certificate store on a developer machine used for Azure deployment.
In Visual Studio 2012, for the webrole, I selected my installed .pfx certificate and set it as the certificate for the HTTPS endpoint.
At this point I then attempt to deploy the site to Azure. After a while, the deployment fails in Visual Studio with the error "Azure failed to validate the specified certificate". Not quite sure where to go from there.
Since a previous version of the site is running in IIS on the Azure VM, manually editing the SSL binding to use the uploaded certificate works correctly but the deployment issue still remains.
In the end I opened a support ticket with the Azure team and over the course of a few hours we tracked down the issue to a missing certificate for the remote desktop add on to the web role.
The certificate thumbprint given by the team was one that wasn't present in the portal nor was it ever part of my solution. Unfortunately, this detail was only given by the team and isn't displayed when the deployment failed.
However, the solution was to remove the remote desktop add on, redeploy the service and re-enable remote desktop.
We have now been able to deploy using an HTTPS endpoint with no further issues.
Here is what you need to do:
1) Open the command prompt, type certmgr.msc
2) This will open the certificate manager on your machine.
3) Open Personal folder and try to locate the certificate.
4) Right click and select export.
5) Export the certificate with the private key and a password.
6) Go to Azure portal and re-upload the certificate.
7) After a successful upload to the certificate on cloud service, re-publish from VS.
Related
Our APIs are exposed through Azure Cloud Services (Web Role). We use certificate uploaded to Cloud Service for encryption of data stored in backend. During certificate rotation, We uploaded new certificate by updating *.CSCFG file
Our CSCFG
<Certificate name="encryptcertificatethumbprint" thumbprint="NewThumbprint" thumbprintAlgorithm="sha1" />
When we login into Portal > Cloud Service > Certificates Tab. We could see both Old Certificate and New certificate.
Unfortunately some of the records in backend system are not re-encrypted with new rotated certificate. When our App reads data from backend system, it fails to decrypt with message "The secret could not be decrypted. Check that certificate with serial number 'XXXXX-XXX' is installed. The inner cryptographic exception: 'Keyset does not exist" since old certificate is not present in webrole instance.
Instead of doing another deployment with both certificates, we remote into web role instance and installed old certificate under Personal > Certificate
After installing old certificate, Application still unable to find certificate by thumbprint in Local Machine certificate store. We tried restarting webrole, still application unable to pick certificate.
Few Questions, can anyone help (without any deployment to address this issue)
What will be certificate location on webrole instance, where we can upload certificate. Our logic of certificate search based on Serial number in LocalMachine and then also Current User. Though we uploaded certificate in LocalMachine, Still webrole unable to pickup certificate
What will be Current User certificate store i.e. what will be account on which webrole runs
If the certificate gets expired, will certificate be returned ?
I haven't tried to accomplish your specific goal, but this information may help get you closer.
The Azure guest agent installs certificates as the system account in the CurrentUser store, so any interactions you want to do with those certs will need to be as the system account. To do this you can download Sysinternals Suite and run psexec to launch a cmd prompt under System context. Then in that new cmd prompt you can run certutil, mmc.exe, etc:
psexec -i -d -s cmd
certutil -store -user My
You should be aware that whatever you do (ie. installing a new certificate) will be temporary.
See https://learn.microsoft.com/en-us/archive/blogs/kwill/windows-azure-disk-partition-preservation for information about when the Windows partition (D drive) will be rebuilt, meaning you will lose your manually installed certificates.
Unexpected role recycles (ie. WaHostBootstrapper exits or WaIISHost/WaWorkerHost crashes) will cause the guest agent to uninstall and then reinstall all certificates.
Issue got resolved. After giving permission to "Network Service".
Right Click on Certificate > All Task > Manage Private Key > Add Network Service Account to get access to certificate.
Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost? They seek Certificates .cer and .pfx. I have uplaoded under Azure panel and unser my service -> SSL Settings.
When I am trying to make a connection from my local machine for Service API it still giving me exception Certificate not found. I am using PHP SDK for Azure. [package : "microsoft/windowsazure": "^0.5"]
can someone please guide me how to make conneciton from local and what if I want to make it in production?
Was using wrong format of certificates, it needs .pem file absolute path. .cer must have to be imported under your Subscription Management certificates in Azure portal
I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:
This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.
I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".
The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:
https://www.digicert.com/help
I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.
How do I include the intermediate certificates in my Azure web role?
Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).
Overview of the answer
You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.
Step 1: Convert the p7b file to a pfx for upload to Azure
This step is derived from this article.
Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
Complete the CSR request using the crt file. See this SO answer for details.
Open the Windows Certificate Manager (certlm.msc)
Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.
Step 2: Upload the certificates to the Azure Web Role
Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.
Step 3: Add the certificates to your Web Role project
This step is loosely derived from this article.
In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
In the Properties window, select Certificates
Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.
If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:
Open the Windows Certificate Manager (certlm.msc)
Import the pfx file containing your intermediate certificates into the Personal/Certificates node
Meanwhile, back in Visual Studio, for each intermediate certificate:
Click "Add certificate", then
Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
Set the Store Name to CA.
Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.
Step 4: Publish and test
Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.
Publish your new project to Azure. You can test your website's SSL using either of these online tools:
https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help
During the development, we didn't get the domain binding for our application, so we just use the Azure URL, something like this: xxx.cloudapp.net.
Because we would like our website use HTTPS protocol, we need to use a certificate, just follow the MSDN, we generated the self-signed pfx file using IIS Manager. Before we publish our application to cloud, we upload the pfx file to cloud by the portal page.
So my question is, is above the only way for this situation? Which I means, I need to upload the certificate to cloud manually first, then publish the application? Is there a way I don't need to to this, something like I even not rely on IIS Manager, the cloud can generate a certificate?
Simple answer to your question is No, Azure can't create a certificate for you. But you could do the same.
To elaborate further, let me explain you what's happening behind the scenes. So you have uploaded the PFX certificate in the portal and in your application configuration screen you have specified the thuumbprint of that certificate. When Azure Fabric Controller spins of the VM, it checks for this certificate thumbprint and based on that it fetches the certificate you uploaded previously and installs that certificate. Furthermore it makes changes to the IIS settings does the SSL magic. Now if you want (not sure why) but you could do the same. If we take just development environment, what you could do is write a startup task which would first create a certificate using makecert utility. Then you would write some IIS scripts which will do the SSL magic for IIS.
Yet another thing you could do is automate the deployment of your code using Azure PowerShell Cmdlets. As a part of deployment automation, 1st thing you would do is upload the SSL certificate using Add-AzureCertificate and then create a deployment of your service using New-AzureDeployment.