How to fix or troubleshoot Azure Web App Linux: Unhandled exception. System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.

Marley Gray 20 Reputation points Microsoft Employee
2024-02-23T18:06:01.94+00:00

ASPNET Core 8, Web API application is receiving this exception when trying to load the certificates for use. The certificates are loaded, the environment variable WEBSITE_LOAD_CERTIFICATES has the thumbprints or *, doesn't matter which.
I get the same results with a docker and .zip deploy, figured it could be a container issue. Funny thing is, I have another web app, that uses certificates the same way and works just fine. I can't see any difference between the two.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,645 questions
{count} votes

Accepted answer
  1. Grmacjon-MSFT 17,886 Reputation points
    2024-03-13T06:49:43.2833333+00:00

    Hi @Marley Gray I'm glad that you were able to resolve your issue.

    Thanks for taking time to share a detailed answer of your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept" the answer.

    Issue:

    • You had an issue with your ASP.NET Core 8 Web API application when you tried to load certificates. Despite having the environment variable WEBSITE_LOAD_CERTIFICATES set with the thumbprints or *, the application threw a System.Security.Cryptography.CryptographicException: Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
    • This issue persisted regardless of whether the application is deployed using Docker or .zip.
    • You had another web application that uses certificates in the same manner and worked fine

    Solution:

    • Ultimately, loading the certificates directly from AKS instead of having them injected into the container by the App Service resolved your issue
    • You wrote an AKS provider that used DefaultAzureCredentials to fetch the same certificates you uploaded which helped to resolve the issue:
     ...
               options.AddEncryptionCertificate(AksConfigurationProvider.GetEncryptionCertFromAks());
         ...
         private static X509Certificate2 GetCertFromAks(string certName)
         {
            var client = new CertificateClient(vaultUri: new Uri(AksUri),
                  credential: new DefaultAzureCredential());
            var certificate = client.DownloadCertificate(certName);
            return certificate;
        }
    
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Marley Gray 20 Reputation points Microsoft Employee
    2024-03-12T12:53:15.54+00:00

    Yes, I solved the issue by loading the certificates by fetching them directly from AKS instead of having them injected into the container by the App Service. Both apps had identical uses of OpenIddict and App Service configuration, with the certificates uploaded and thumbprints added as environment variables to load them:

            ...
            options.AddEncryptionCertificate(LoadCertificate(
                 pfxCertConfig.EncryptionCertificateThumbprint));
            ...
    
            private static X509Certificate2 LoadCertificate(string thumbprint)
            {
                try
                {
                    var bytes = File.ReadAllBytes($"/var/ssl/private/{thumbprint}.p12");
                    return new X509Certificate2(bytes);
                }
                catch (Exception e)
                {
                    Console.WriteLine(e);
                    throw;
                }
            }
    

    This would work for one but not the other. The only difference I could tell was one was initially deployed as a net7.0 and then upgraded to net8.0 and continued to work and the other was net8.0 from the start.

    I just wrote a AKS provider that would use DefaultAzureCredentials to fetch the same certificates I uploaded to resolve the issue:

         ...
               options.AddEncryptionCertificate(AksConfigurationProvider.GetEncryptionCertFromAks());
         ...
    
         private static X509Certificate2 GetCertFromAks(string certName)
         {
            var client = new CertificateClient(vaultUri: new Uri(AksUri),
                  credential: new DefaultAzureCredential());
            var certificate = client.DownloadCertificate(certName);
            return certificate;
        }
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.