I explored the process to deploy to Azure App Service. Parts of the implementation of the persistent process depend on the Elm executable. Most effort went into the resulting dependencies and setup.
Elm failed with following output:
name-used-to-execute-file.exe: no store
CallStack (from HasCallStack):
error, called at .\System\X509\Win32.hs:56:31 in x509-system-1.6.6-KPlAgjlEOhtBXlrzCCJ22B:System.X509.Win32
This error went away after changing application settings in the Azure web app as follows:
Set WEBSITE_LOAD_CERTIFICATES
to *
, as described at https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
When using elm make
with a command line like this:
elm make StringBuilderWebApp.elm
It failed with the following output:
-- HTTP PROBLEM ----------------------------------------------------------------
The following HTTP request failed:
<https://package.elm-lang.org/all-packages>
Here is the error message I was able to extract:
HttpExceptionRequest Request { host = "package.elm-lang.o
rg" port = 443
secure = True requestHeaders =
[("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")] path =
"/all-packages" queryString = "" method = "GET" proxy = Nothing rawBody =
False redirectCount = 10 responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1 } (InternalException (HandshakeFailed
(Error_Protocol ("certificate has unknown CA",True,UnknownCa))))
(From the discussion at https://discourse.elm-lang.org/t/how-to-solve-elm-make-https-certificate-problem/2546/5?u=viir)
Looks like I got it working by installing a certificate.
I downloaded the certificate from package.elm-lang.org and added it as a Public Certificate
to the Azure app.
I used the export UI of the chrome browser to get a .cer
file for a certificate on the path displayed in the chrome browser (I took the DST Root CA X3
from the root)
The import of this file went without error messages.
But at first, the elm make command still displayed the certificate has unknown CA
error.
Yesterday, it was too late to continue investigating, and now after coming back it works, elm make produces the output file. I don't know what happened in the meantime, maybe the host system was restarted.
While setting the certificate up, I also found this guide helpful to check if the certificate was loaded: https://blogs.msdn.microsoft.com/karansingh/2017/03/15/azure-app-services-how-to-determine-if-the-client-certificate-is-loaded/
When trying to use the elm executable with the make
command, it failed with output like this:
elm.exe: getAppUserDataDirectory:sHGetFolderPath: illegal operation (unsupported operation)
More information about the problem is found at http://hackage.haskell.org/package/directory-1.3.3.1/docs/System-Directory.html#v:getAppUserDataDirectory :
The argument is usually the name of the application. Since it will be integrated into the path, it must consist of valid path characters.
- On Unix-like systems, the path is ~/..
- On Windows, the path is %APPDATA%/ (e.g. C:/Users//AppData/Roaming/)
Note: the directory may not actually exist, in which case you would need to create it. It is expected that the parent directory exists and is writable.The operation may fail with:
UnsupportedOperation
The operating system has no notion of application-specific data directory.isDoesNotExistError
The home directory for the current user does not exist, or cannot be found.
As Markus Laire points out on the elm-lang forum, for the special case of elm, this problem can be avoided by setting ELM_HOME
for the elm make process. This approach made it possible to fix the problem in the framework implementation, so that no setup is required to account for this.
On 2019-01-26, Elm make fails again:
System.NotImplementedException: Output file not found. Maybe the output from the Elm make process helps to find the cause: Exit Code: 1 Standard Output: '' Standard Error: '-- HTTP PROBLEM ----------------------------------------------------------------
The following HTTP request failed:
<https://package.elm-lang.org/all-packages>
Here is the error message I was able to extract:
HttpExceptionRequest Request { host = "package.elm-lang.org" port = 443
secure = True requestHeaders =
[("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")] path =
"/all-packages" queryString = "" method = "GET" proxy = Nothing rawBody =
False redirectCount = 10 responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1 } (InternalException (HandshakeFailed
(Error_Protocol ("certificate has unknown CA",True,UnknownCa))))
'
at Kalmit.ProcessFromElm019Code.CompileElmToJavascript(IReadOnlyCollection`1 elmCodeFiles, String pathToFileWithElmEntryPoint) in K:\Source\Repos\Kalmit\implementation\PersistentProcess\PersistentProcess.Common\Process.cs:line 214
at
- This instance is hosted in an Azure Web App which and worked a few weeks earlier.
- I do not remember changing anything in this App. Did Microsoft change something in how the certificates are propagated? I do not find a clue online. Azure exhibited problems depending on the Region before (Cosmos DB) so document some details about the App Service Plan displayed in the Azure Portal:
Location: North Europe
App Service Plan: general (Basic: 1 Small)
. - Is the problem specific to the state App Service Plan? Test with a new Web App running on a new App Service Plan. For the new web app
kalmit-web-host-livetest-2
, create New App Service Plan in regionEast US
and pricing planB1 Basic
. - In addition to the Kalmit deployment, add the root certificate used when opening https://package.elm-lang.org in chrome :
DAC9024F54D8F6DF94935FB1732638CA6AD77C13
- On this new web app, get an error too:
System.NotImplementedException: Output file not found. Maybe the output from the Elm make process helps to find the cause:
Exit Code: 1
Standard Output:
''
Standard Error:
'-- HTTP PROBLEM ----------------------------------------------------------------
The following HTTP request failed:
<https://package.elm-lang.org/all-packages>
Here is the error message I was able to extract:
HttpExceptionRequest Request { host = "package.elm-lang.org" port = 443
secure = True requestHeaders =
[("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")] path =
"/all-packages" queryString = "" method = "GET" proxy = Nothing rawBody =
False redirectCount = 10 responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1 } (InternalException (HandshakeFailed
(Error_Protocol ("certificate has unknown CA",True,UnknownCa))))
- What happens if the certificate is removed from the Web App? After deleting the certificate in Azure Portal and restarting the app, get the
certificate has unknown CA
error again. So maybe the certificate is not propagated into the app scope, to begin with? - Upload the certificate again to continue testing.
- Check in Kudu: Under environment, it also displays
WEBSITE_LOAD_CERTIFICATES = *
. - Use powershell to dump info about certificates:
Get-ChildItem -Recurse Cert: 2>&1 > .\cert.log
. In the resulting file,DAC9024F54D8F6DF94935FB1732638CA6AD77C13
is found in this entry:
[...]
Name : My
Subject : CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer : CN=DST Root CA X3, O=Digital Signature Trust Co.
Thumbprint : DAC9024F54D8F6DF94935FB1732638CA6AD77C13
FriendlyName :
NotBefore : 9/30/2000 9:12:19 PM
NotAfter : 9/30/2021 2:01:15 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
[...]
- So the certificate is contained in the
My
scope. Is this not sufficient anymore for elm make? Can we add the certificate to a larger scope? Can we start the elm process in a different way so that it has access to the certificate?