Runtime: Error to create X509Certificate2 instance
Hi
I try to create an instance from the class X509Certificate2 insight a container using microsoft/aspnetcore:2.0.3-nanoserver-1709 as base image.
That鈥檚 the code I use:
var buffer = Convert.FromBase64String(certStringInBase64);
return new X509Certificate2(buffer, password, X509KeyStorageFlags.MachineKeySet);
It works everywhere besides the image I pointed out on top.
On nanoserver 1709 I get the following exception:
Application startup exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
at Sportflash.Extensions.Hosting.Kestrel.Store.Get(SecureString password)
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.GetCertificateOptions()
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.<>c.<UseKestreDependOnEnvironment>b__2_2(ListenOptions c)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.Listen(IPEndPoint endPoint, Action`1 configure)
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.<>c__DisplayClass2_0.<UseKestreDependOnEnvironment>b__1(KestrelServerOptions o)
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.CreateServiceContext(IOptions`1 options, ILoggerFactory loggerFactory)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer..ctor(IOptions`1 options, ITransportFactory transportFactory, ILoggerFactory loggerFactory)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, ServiceProvider provider)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitScoped(ScopedCallSite scopedCallSite, ServiceProvider provider)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureServer()
at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
Unhandled Exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, SecureString password, X509KeyStorageFlags keyStorageFlags)
at Sportflash.Extensions.Hosting.Kestrel.Store.Get(SecureString password)
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.GetCertificateOptions()
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.<>c.<UseKestreDependOnEnvironment>b__2_2(ListenOptions c)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.Listen(IPEndPoint endPoint, Action`1 configure)
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.<>c__DisplayClass2_0.<UseKestreDependOnEnvironment>b__1(KestrelServerOptions o)
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.CreateServiceContext(IOptions`1 options, ILoggerFactory loggerFactory)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer..ctor(IOptions`1 options, ITransportFactory transportFactory, ILoggerFactory loggerFactory)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, ServiceProvider provider)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitScoped(ScopedCallSite scopedCallSite, ServiceProvider provider)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureServer()
at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
at Sportflash.Extensions.Hosting.Kestrel.AppServiceHostBuilder.Build[TStartup](Int32 port, String[] args)
at Sportflash.Data.Router.Program.Main(String[] args) in E:\Build\AGENT01\_work\16\s\Sportflash.Data.Router\Program.cs:line 10
SergeBerwert
All 12 comments
I just hit this bug today using microsoft/aspnetcore:2.0.4-nanoserver-1709. Is there any confirmation of a pending bug fix or a workaround?
Application startup exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
tempworks-paul
on 3 Jan 2018
Same issue with microsoft/aspnetcore:2.0.0-nanoserver-1709 and microsoft/aspnetcore:2.0.5-nanoserver-1709
ilyalukyanov
on 10 Jan 2018
The exception is happening because Win32 PFXImportCertStore is failing (apparently with NTE_NOT_FOUND). I can reach out to Windows, but nothing has changed in .NET here.
If anyone has had success on nanoserver and can share a build number, that would be useful.
bartonjs
on 10 Jan 2018
Similar issue here, I am trying to use https inside the microsoft/aspnetcore:2.0.0-nanoserver-1709 docker. And I got the similar error message.
c#
.UseKestrel(options => {
options.Listen(IPAddress.Loopback, 80);
options.Listen(IPAddress.Loopback, 443, listenOptions =>
{
listenOptions.UseHttps("localhost.pfx"), "123456");
});
})
[EDIT] Add C# syntax highlighting by @karelz
yongding422
on 17 Jan 2018
Jumping on to say "me too" - this issue prevented me from testing ASP.NET Core 2.1.0-preview1
deedubb
on 3 Mar 2018
I'm pretty sure it isn't a problem with dotnet but more with Nanoserver 1709. Generally when I fall back to windowsservercore:1709 or nanoserver:sac2016 the problem goes away. I am hoping the next Nanoserver (1803) fixes this problem. I haven't had time to test the insider previews to see if there is hope.
paulczy
on 3 Mar 2018
Follow up for the group, same problem using docker image microsoft/dotnet:2.1-aspnetcore-runtime-nanoserver-1803
Unhandled Exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
Since I logged my comment here I've been in touch with Microsoft Support team and they've found the issue and suggested a simple workaround which I'd like to share here.
The issue is here https://github.com/dotnet/dotnet-docker/blob/master/2.0/runtime/nanoserver-1709/amd64/Dockerfile#L31 in the 1709 nanoserver Dockerfile. The user should be ContainerAdministrator.
I'm going to submit a pull request with a fix (unless it's done already), but in the meantime we can use USER ContainerAdministrator in our containers to workaround the issue.
ilyalukyanov
on 18 Jun 2018
Thanks @ilyalukyanov! Does it mean we can close this issue or is there anything else left to track?
karelz
on 18 Jun 2018
@karelz I think we can close it now as the issue really belongs to the dotnet-docker repo.
ilyalukyanov
on 18 Jun 2018
Thanks for confirmation, closing.
karelz
on 18 Jun 2018
Hey @ilyalukyanov, did you know if this issue is already fixed?
I'm using dotnet:2.2-aspnetcore-runtime-nanoserver-1709 , and I already tried the USER ContainerAdministrator workaround but is still not working.
Thanks in advance.
vany0114
on 1 Feb 2019
Related issues
jchannon
路
3Comments
EgorBo
路
3Comments
nalywa
路
3Comments
noahfalk
路
3Comments
aggieben
路
3Comments
Most helpful comment
Since I logged my comment here I've been in touch with Microsoft Support team and they've found the issue and suggested a simple workaround which I'd like to share here.
The issue is here https://github.com/dotnet/dotnet-docker/blob/master/2.0/runtime/nanoserver-1709/amd64/Dockerfile#L31 in the 1709 nanoserver Dockerfile. The user should be ContainerAdministrator.
I'm going to submit a pull request with a fix (unless it's done already), but in the meantime we can use
USER ContainerAdministratorin our containers to workaround the issue.