0

I have hosted identityserver which is using self signed certificate in IIS in one my azure VM. This is ssl enabled site. This is using identityserver3 framework.

I am hosting asp.net core 2.0 webapi in the same VM and this is not ssl enabled. Below is my setup on core 2.0 api side:

Startup.cs -> ConfigurationServices() {
            services.AddAuthentication("Bearer")
                    .AddIdentityServerAuthentication(options =>
                    {
                        options.Authority = "https://localhost:44300/identity";
                        options.RequireHttpsMetadata = false;
                        options.ApiName = "web_api";
                        options.LegacyAudienceValidation = true;
                    });
}

Both were working fine locally with the above setup. But in the vm when i try to access the api, i am getting following error:

ERROR   Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler - Exception occurred while processing message. - System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://localhost:44300/identity/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://localhost:44300/identity/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred

I made sure the self-signed certificate is available in

MMC->trused certifcates both in Current User and in Local Computer.

Self signed certificate is available in :

MMC-> Local Computer -> Personal Certificates Local COmputer -> Trusted Root Certificates

MMC ->Current User -> Trusted Root Certificates

Mukil Deepthi
  • 6,072
  • 13
  • 71
  • 156
  • See: https://stackoverflow.com/questions/36299959/idx10803-unable-to-create-to-obtain-configuration – shlgug Jul 31 '18 at 17:49

1 Answers1

1

Had the same problem, until I found out that the user, who is running the app pool, where IdentityServer is hosted, should have at least read permissions over the certificate.

MMC ->Current User -> Trusted Root Certificates

This is giving the rights to your account, but check which is the app pool account and then, in the computer certificates:

Right click on the certificate -> All Tasks -> Manage private keys

Also realized, that couldn't give such permissions to the DefaultAppPoolIdentity so I ended up using a separate account for this app pool.

m3n7alsnak3
  • 3,026
  • 1
  • 15
  • 24