Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

After adding HTTPS endpoint I get this warning: 'Microsoft.WindowsAzure.Plugins.PasswordEncryption' was not found in the certificate store

I added an HTTPS endpoint to my WebRole, and now I'm getting the following warning when I attempt to run the Azure Emulator, which causes the compute emulator to stop and the debugger to bail:

Warning: The SSL certificate 'Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption' for endpoint 'HttpsIn' of role 'MyProj.Web' was not found in the local machine's certificate store.

This certificate has nothing to do with the HTTPS endpoint. It also doesn't (and shouldn't) be on the local machine's certificate store -- it does exist on CurrentUser certificate store (I've checked). I've attempted to get rid of the reference to this certificate altogether in my ServiceConfiguration just to see what happens, but it keeps automatically being re-added.

Any help would be appreciated.

Edit:

Just to be clear, I am not attempting to use the Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption certificate as my SSL cert. I have successfully set up a separate self-signed certificate in the Local Machine store for the HTTPS endpoint:

ServiceDefinition.csdef

    <Bindings>
      <Binding name="Endpoint1" endpointName="Endpoint1" />
      <Binding name="HttpsIn" endpointName="HttpsIn" />
    </Bindings>
    ...
    <Endpoints>
      <InputEndpoint name="Endpoint1" protocol="http" port="80" />
      <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="AzureSSL" />
    </Endpoints>
    ...
    <Certificates>
      <Certificate name="AzureSSL" storeLocation="LocalMachine" storeName="My"/>
    </Certificates>

ServiceConfiguration.Local.cscfg

<Certificates>
  <Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="xxxxxxxxxx" thumbprintAlgorithm="sha1" />
  <Certificate name="AzureSSL" thumbprint="xxxxxxxxxx" thumbprintAlgorithm="sha1" />
</Certificates>
like image 707
w.brian Avatar asked Feb 08 '13 06:02

w.brian


2 Answers

The WebRole is adding the RemoteAccess certificate settings and looking for the certificate in LocalMachine because SDK 1.8 adds <Import moduleName="RemoteAccess" /> to csdef file. To resolve this issue:

  • Delete all "Microsoft.WindowsAzure.Plugins.RemoteAccess.* " in both (local & cloud) .cscfg files
  • Delete "Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" in both .cscfg files
  • Delete <Import moduleName="RemoteAccess" /> and <Import moduleName="RemoteForwarder" /> from the csdef file.
  • Save & recompile. If you need to activate the Remote Desktop later, then process is described in this article.

Or, you could just add the RDP cert to LocalMachine store.

like image 165
viperguynaz Avatar answered Nov 12 '22 10:11

viperguynaz


Well, two things:

  • Certificates in general have a lot to do with HTTPS Endpoint. Because HTTPS Endpoint also needs a certificate, right?
  • From the error message it is clear that you have selected the Remote Desktop password encryption certificate to be used for the HTTPS Endpoint also.

The latter is not bad at all, but you shall be aware of all your certificates and which one is used for what.

First of all, enabling Remote Desktop on Azure Role Instances needs X.509 certificate. It is configured by indicating certificate's thumbprint in the configuration file (csdef). It is required because the password for the RDP account is encrypted with that certificate. That password encryption is part of the packaging process (or more precisely of the Remote Desktop wizard process). You have to separately upload that certificate to the Windows Azure Cloud Service that you will deploy your package. And also have that certificate in local user's store.

Second certificate is for HTTPS. It is also described as thumbprint and location. However HTTPS certificate is usually located on local machine store, and not current user store. This X.509 certificate again must be separately uploaded to the Cloud Service and must be present there. You may read here on how to configure HTTPS endpoint for Windows Azure Cloud Service. In order for packaging to work fine, the HTTPS Endpoint certificate needs to be in Local Machine store (or more precisely the Web Hosting store - if you open the IIS Manager and navigate to Server Certificates, you must be able to see the certificate there). This is the expected place for an HTTPS certificate, that's why packaging requires it to be there. And that's why it complains it cannot find it. Because your Password Encryption Certificate (which you indicated to be used for HTTPS also) is not in local machine's store.

Last, but not least, certificates used by a package are configured in the Certificates section of properties of your cloud service project.

Suggested readings:

  • Overview of certificates in Windows Azure
  • How to create certificate for a role
  • Securing Windows Azure with SSL - although it has screenshots of the old portal and older versions of SDK, all the concepts and walk-troughs are correct and effective today.
like image 1
astaykov Avatar answered Nov 12 '22 10:11

astaykov