azurecertificateautoscalingwasabi

Azure/Wasabi: Certificate never makes it to the CurrentUser/My store

I am attempting to get Wasabi (the Enterprise library autoscaling block) to work within an Azure worker role. The Wasabi worker role (Extra Small, full trust) is scaling a different worker role within the same service. It works perfectly from a local console app, with an identical configuration - given the errors, the certificate isn't making it to the VM. I am using the latest versions of the Azure SDKs, the enterprise library autoscaling block, and the Azure portal.

Here are the steps I took, based on these docs: http://msdn.microsoft.com/en-us/library/hh680937(v=pandp.50).aspx

  1. I created a management certificate as per the directions here: http://msdn.microsoft.com/en-us/library/gg432987.aspx.
  2. I exported the .pfx with the private key and gave it a password.
  3. I uploaded the .cer to the Settings->Management Certificates section on the portal.
  4. I uploaded the .pfx with the correct password to the Cloud Services->(My Service)->Certificates, noting the thumbprint listed.
  5. I created some trivial rules that scale up my app a few instances, and correctly configured the service information to use my new cert. The XML files are in blob storage. This exactly configuration works fine on my local machine in a console app.
  6. I added an entry in the Wasabi role's configuration, using the correct cert name and thumbprint. I set it to use the CurrentUser\My store. I confirmed that the .csdef and .cscfg files were correctly updated.
  7. I deploy the service to staging on Azure, using the publish tool. The certificate configuration setting correctly shows up in the Configuration setting for the role.
  8. It doesn't scale the app. I check the trace entries, and it has an exception when trying to pull access the management API. It is trying to access the right subscription, and it's trying to find the correct certificate thumbprint in the right store, so my configuration is being loaded correctly. It claims that it cannot find the certificate with that thumbprint in that store.

I tried the LocalMachine\My store (configured in the role certificate settings, and in the service information store XML), and I got a different exceptionthe error listed in Azure WASABi SecurityNegotiationException. That fix was ultimately to go to CurrentUser, so that doesn't help me here.

I tried a lot of other combinations of CurrentUser\LocalMachine and different stores, and all CurrentUser locations result in certificate-not-found, and all LocalMachine stores result in the other exception.

I triple-checked the thumbprints in the role settings, the portal (certificate page) and the service information file, and they all match.

I then enabled remote-desktop and logged in to the Wasabi role instance, and used MMC to look at the certificate configuration for both the local machine and the current user. When I selected the LocalMachine store in the role certificate settings, the certificate did show up in the LocalMachine store, which tells me that the certificate is correctly installed in the service and the thumbprints match. When the CurrentUser store is selected, the certificate is not visible anywhere. This could be because the user that is used by RDP is not the same user as the service, but it does match the error.

So, in summary:

  1. The certificate was correctly configured and installed in the portal (management certificates for the subscription, and service certificates).
  2. Apparently, you must use the CurrentUser location, not the LocalMachine location, for the Wasabi role (as per the linked SO question).
  3. When I'm trying to install to the CurrentUser, the certificate is not getting placed in the VM, at least not anywhere that the role can find it.

Any ideas?

Thanks!

Solution

  • See my answer to this SO POST. The certificate must be in LocalMachine and because of config changes in SDK 1.8 and Server2012 role initialization you have to run the worker role with elevated permissions to give NETWORK SERVICE access to the cert's private keys. Edit ServiceDefinition.csdef

    <?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="blah" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2012-10.1.8">
  <WorkerRole name="blah" vmsize="Small">
    <Runtime executionContext="elevated" />
    ...      
   </WorkerRole>
</ServiceDefinition>