Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New certificate fails to load after creation 'The specified network password is not correct' #1670

Closed
mregen opened this issue Jan 19, 2022 · 1 comment · Fixed by #1676
Closed

New certificate fails to load after creation 'The specified network password is not correct' #1670

mregen opened this issue Jan 19, 2022 · 1 comment · Fixed by #1676
Labels
bug A bug was identified and should be fixed.

Comments

@mregen
Copy link
Contributor

mregen commented Jan 19, 2022
edited

Type of Issue
-[X] Bug

Describe the Issue

Running a .NET Core 3 UA application in docker windows container sometimes fails to start when a new application certificate is created with error: 'The specified network password is not correct'. The container starts ok using the same previously created certificate when restarted.

To Reproduce
Steps to reproduce the behavior:

  1. Run a OPC app in docker windows container
  2. Start application
  3. infrequently the application fails to start

Expected behavior
New cert can be loaded.

Screenshots
If applicable, add screenshots to help explain your problem.

**Log output**
[14:03:22 INF] No existing Application certificate found. Create a self-signed Application certificate valid from yesterday for 12 months,
 32 [14:03:22 INF] with a 2048 bit key and 256 bit hash.
 33 [14:03:25 ERR] Could not load private key certificate from file: OpcPublisher [EC0838A4BF488F44A52B3F5AFFDA0EB62DD21AFD].pfx
 34  WindowsCryptographicException 'The specified network password is not correct.'
 35 
 36 
 37 ========================================
 38 Id: Bad
 39 Description: [WindowsCryptographicException] The specified network password is not correct.
 40 >>> The specified network password is not correct.
 41 ---    at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
 42 ---    at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
 43 ---    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
 44 ---    at Opc.Ua.DirectoryCertificateStore.Load(String thumbprint)
 45 ========================================
 46 
 47 Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.
 48    at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
 49    at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
 50    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
 51    at Opc.Ua.DirectoryCertificateStore.Load(String thumbprint)
 52 [14:03:25 WRN] OPC: ***EXCEPTION*** BadConfigurationError 'There is no cert with subject OpcPublisher in the configuration.
 53  Please generate a cert for your application,
 54  then copy the new cert to this location:
 55  pki\own
 56 '
 57 [14:03:25 FTL]    at Opc.Ua.Configuration.ApplicationInstance.CheckApplicationInstanceCertificate(Boolean silent, UInt16 minimumKeySize, UInt16 lifeTimeInMonths)
 58    at OpcPublisher.OpcApplicationConfiguration.ConfigureAsync() in D:\a\1\s\modules\src\Microsoft.Azure.IIoT.Modules.OpcUa.Publisher\src\OpcApplicationConfiguration.cs:line 180
 59    at OpcPublisher.Program.MainAsync(String[] args) in D:\a\1\s\modules\src\Microsoft.Azure.IIoT.Modules.OpcUa.Publisher\src\Program.cs:line 698
 60 Opc.Ua.ServiceResultException: There is no cert with subject OpcPublisher in the configuration.
 61  Please generate a cert for your application,
 62  then copy the new cert to this location:
 63  pki\own
 64 
 65    at Opc.Ua.Configuration.ApplicationInstance.CheckApplicationInstanceCertificate(Boolean silent, UInt16 minimumKeySize, UInt16 lifeTimeInMonths)
 66    at OpcPublisher.OpcApplicationConfiguration.ConfigureAsync() in D:\a\1\s\modules\src\Microsoft.Azure.IIoT.Modules.OpcUa.Publisher\src\OpcApplicationConfiguration.cs:line 180
 67    at OpcPublisher.Program.MainAsync(String[] args) in D:\a\1\s\modules\src\Microsoft.Azure.IIoT.Modules.OpcUa.Publisher\src\Program.cs:line 698
 68 [14:03:25 FTL] Publisher exiting...

Code snippets

Environment (please complete the following information):

  • OS: Windows 10 / Docker with Windows container
  • Development environment: Visual Studio 2022
  • Runtime: .NET Core 3.1
  • OPC Package Release Version:1.4.367.75
  • Component: Opc.Ua.Configuration
  • Server:
@mregen mregen added the bug A bug was identified and should be fixed. label Jan 19, 2022
@mregen mregen mentioned this issue Jan 21, 2022
Merged
@mregen
Copy link
Contributor Author

mregen commented Jan 21, 2022
edited

see also @ZbynekZ
https://kb.opclabs.com/Error_%22The_specified_network_password_is_not_correct.%22

Not sure if the issue has the same root cause and if it gets improved by this workaround. Maybe permission also affect the timing. But in the windows container the MachineKeySet is not accessible.

This was referenced Jan 22, 2022
Merged
Merged
mregen added a commit that referenced this issue Jan 24, 2022
@mregen
Retry to load private key of a new certificate on import error. (#1676)
3fe9495 
- In windows container this non deterministic error can occur:
`[WindowsCryptographicException] The specified network password is not correct.`
even if the private key was saved with empty password.
- Fix: After a delayed retry the private key can be loaded successfully.
- fixes #1670 
- see also ae9ecac for 367 milestone
mregen added a commit that referenced this issue Jan 25, 2022
@mregen @mheege-abb
Support async ICertificateStore CRL interface methods (#1666)
5cbffcf 
- integrate 'LoadPrivateKey' in the interface to allow to implement cert stores which require a passcode to load/store certificates
Change of behavior:
- Introduce a 'NoPrivateKeys' flag to reduce the risk of leaking a private key to a unsecure store.
  - CertificateStoreIdentifier opens 'NoPrivateKey' stores
  - CertificateTrustList opens 'NoPrivateKey' stores
  - CertificateIdentifier opens store with private keys for application or GDS authority certificates
- CertificateTrustList reuses a store if it is not disposed. A user can just close the store to keep the list of certificates in memory.
- DirectoryStore `Load` does not read private keys anymore, only file names for delete. Reading all private keys caused false errors, e.g. here: #1670 

Co-authored-by: mheege-abb <marcus.heege@de.abb.com>
Co-authored-by: mheege-abb <85437567+mheege-abb@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A bug was identified and should be fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Retry to load private key of a new certificate on import error. OPCFoundation/UA-.NETStandard
1 participant
@mregen