Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signing certificate invalid on production in docker container

See original GitHub issue

Confirm you’ve already contributed to this project or that you sponsor it

  • I confirm I’m a sponsor or a contributor

Version

3.x

Question

I’ve deployed my application using docker to a server, I’ve generated certificates using OpenSSL and passed them as a volume to my docker container.

When the application starts up I get an exception in the log saying:

root-nextlevel-auth-1  | warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
root-nextlevel-auth-1  |       Key {5698643d-b0a7-4c77-b4f7-03c93ed2d78f} is ineligible to be the default key because its CreateEncryptor method failed.
root-nextlevel-auth-1  |       System.Security.Cryptography.CryptographicException: Symmetric algorithm is not specified.
root-nextlevel-auth-1  |          at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData , String )
root-nextlevel-auth-1  |          at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
root-nextlevel-auth-1  |          at System.Lazy`1.ViaFactory(LazyThreadSafetyMode )
root-nextlevel-auth-1  |          at System.Lazy`1.ExecutionAndPublication(LazyHelper , Boolean )
root-nextlevel-auth-1  |          at System.Lazy`1.CreateValue()
root-nextlevel-auth-1  |          at System.Lazy`1.get_Value()
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
root-nextlevel-auth-1  |          at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)

This is an exception from the data protection stack, but if I disable this certificate on data protection I get about the same error from OpenIddict because they utilize the same certificate.

This is the code how I set up data protection and OpenIddict:

using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite);

var dataProtectionCertificate = new X509Certificate2(
  configuration.GetValue<string>("Core:DataProtectionCertificatePath"),
  configuration.GetValue<string>("Core:DataProtectionCertificatePassword"));

var signingCertificate = new X509Certificate2(
  configuration.GetValue<string>("OpenId:SigningKeyCerfificatePath"),
  configuration.GetValue<string>("OpenId:SigningKeyCertificatePassword"));

store.Add(dataProtectionCertificate);
store.Add(signingCertificate);

services.AddDataProtection()
  .SetApplicationName(hidden)
  .PersistKeysToDbContext<ApplicationDbContext>()
  .ProtectKeysWithCertificate(dataProtectionCertificate);
            
----------------
// OpenIddict server options builder
options.UseDataProtection();
options.AddEncryptionCredentials(encryptionKey);
options.AddSigningCertificate(signingCertificate);

The 2 certificates are (for now) the exact same certificate generated using OpenSSL like so:

openssl genrsa -aes256 -out app_key.pem 2048
openssl req -key app_key.pem -new -x509 -days 36500 -out app_cert.crt
openssl pkcs12 -export -in app_cert.crt -inkey app_key.pem -out app_cert.pfx

Like I said the application is hosted on docker using the aspnet docker image, so this is running on Debian 11. The host system is Ubuntu 20.04.

What do I need to do to get valid certificates (because with the exact same certificates downloaded to my PC this exact same scenario works completely fine)

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:18 (9 by maintainers)

github_iconTop GitHub Comments

2reactions
bartonjscommented, Sep 20, 2022

You’re correct, which is why CryptoConfig.CreateFromName is painted with [RequiresUnreferencedCode("The default algorithm implementations might be removed, use strong type references like 'RSA.Create()' instead.")].

It might work to just have strong references somewhere else in your code; but in the BCL we never call into CryptoConfig, just use our own switchafalls (e.g. https://github.com/dotnet/runtime/blob/2f3fcca06499725469b6ae021be960e08d808c75/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HMACCommon.cs#L57-L69).

1reaction
bartonjscommented, Sep 20, 2022

I think it hasn’t come up automatically yet because we haven’t finished trimmer analysis on System.Security.Cryptography.Xml. That’s not to say that wherever the data protector lives wouldn’t benefit from a nudge to let them know they might want to draft a “how to make data protector happy in this scenario” doc.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Signing certificate inside a docker container?
InvalidOperationException: Cannot find certificate with thumbprint [CORRECT_THUMBPRINT_HERE]. If I change the certificate store from CurrentUser ...
Read more >
How to fix Docker error certificate signed by unknown authority ...
1: Create a file /etc/docker/daemon.json and add insecure-registries · 2: Restart the docker daemon by executing the command · 3: Create a directory...
Read more >
Verify repository client with certificates
We show you how to install a Certificate Authority (CA) root certificate for the registry and how to set the client TLS certificate...
Read more >
Test an insecure registry
With insecure registries enabled, Docker goes through the following steps: First, try using HTTPS. If HTTPS is available but the certificate is invalid,...
Read more >
Docker run Hello-World error x509: certificate signed by ...
Turns out the issue was caused by my company's proxy system called Zscalar which interjects its own certificates. Putting those certificates did ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Client and server on different domains - No correlation cookie with the specified state can be found

Next page

Refresh token flow in ASP.NET Core MVC environment