X509Certificate2 Constructor Throwing There is not enough space on the disk

Question

All of a sudden, without deploying or making any other environment changes, we are getting

There is not enough space on the disk. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException (mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob (mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob (mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089) at [OUR CODE]

With this line:

var certificateByes = Convert.FromBase64String(clientCertificateBody);
factory.Credentials.ClientCertificate.Certificate = new X509Certificate2(certificateByes);

I'm struggling to see how this all of a sudden would break in the context of an Azure web app. We last deployed on November 20th, and this started throwing yesterday. This basic functionality has been in place for months without issue.

We've certainly had trouble in this area before, and the string we are reading from is retrieved from a key vault, but again, nothing here has changed.

I've read about different types of errors here and here but our error message is different and again, this has been working fine for months.

Could this be related to how long the app has been running or some other caching issue that is filling up some temporary storage location?

Answer 1

Here's what I know after many hours of research/debugging:

• We had a logic error where we were creating a new X509Certificate2 object every time we loaded it instead of caching it
• We got into a position of having to create these certificates way more often than we needed to

Once we solved those two problems, and followed Tip #5 from here when creating certs, we are not seeing these errors anymore. For reference, the tip is to not create these cert objects from byte arrays as temp files get created behind the scenes for you and they potentially could not get cleaned up. Instead, we are doing something like the author suggests:

var bytes = new byte[]{}; //byte array representing cert body
var file = Path.Combine(Path.GetTempPath(), "Cert" + Guid.NewGuid());
try
{
    File.WriteAllBytes(file, bytes);
    return new X509Certificate2(file, /* ...options... */);
}
finally
{
    File.Delete(file);
}

Answer 2

I ran into the same issue, one Service Plan with MSI enabled on the App Service. Clearing the temppath incl all directories and files by code didn't work. I guess the private keys folder has 65535 files in it, I checked that Octopus deploy blog article and tried to delete so many locations, from code because in Kudo or Console you cannot see it, but the error kept being thrown. Redeploying to another App Service Plan was not an option.

So this other question on stackoverflow has an answer with a cleaner solution:

X509Certificate2 constructor throwing Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: There is not enough space on the disk

Solution: Use EmphemeralKeySet StorageFlag.