ssl - .NET reading cryptographic files from AWS S3 - some files fail on prod, succeed on dev -
i running certificate store off of s3 asp.net cloud application. class s3certificatestore reads .pfx files , password files s3, , creates certificates in memory.
private void loadprivatecerts(x509certificate2collection certificates) { var s3files = s3facade.listobjects(config.bucket, config.privatepath).tolist(); foreach (var filepath in s3files) { if (filepath.endswith(".pass") || filepath.endswith("/")) { continue; } try { var certbytes = s3facade.getobject(config.bucket, filepath); var pwdbytes = s3facade.getobject(config.bucket, filepath + ".pass"); var pwd = encoding.utf8.getstring(pwdbytes); var cert = new x509certificate2(certbytes, pwd, x509keystorageflags.exportable); // needs exportable! certificates.add(cert); } catch (exception e) { exceptions.add(e); } } }
when run locally, certificates pulled s3 , reconstituted correctly. but... when run code on ec2 instance, certificates fine, , others fail. (the same ones fail).
exception: system cannot find file specified. @ system.security.cryptography.cryptographicexception.throwcryptographicexception(int32 hr) @ system.security.cryptography.x509certificates.x509utils._loadcertfromblob(byte[] rawdata, intptr password, uint32 dwflags, boolean persistkeyset, safecertcontexthandle& pcertctx) @ system.security.cryptography.x509certificates.x509certificate.loadcertificatefromblob(byte[] rawdata, object password, x509keystorageflags keystorageflags)
i'm baffled. there kind of character encoding difference @ work? don't think of passwords have high-bit characters, may seeing them after has been munged.
any suggestions?
i found workable solution. if set iis apppool setting "load user profile" true, certificate construction works. following script in .ebextension file seems trick:
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationpools "/[name='defaultapppool'].processmodel.loaduserprofile:true"
i still don't understand why certificate construction consistently succeeding certs , consistently failing others, before change.
Comments
Post a Comment