New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Response status code does not indicate success: 403 (Forbidden). #141

Closed
ridicoulous opened this Issue May 26, 2017 · 8 comments

Comments

Projects
None yet
6 participants
@ridicoulous

ridicoulous commented May 26, 2017

Hello. I have an exception on installation certificate. Could you please help me?
`
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestException: Response status code does not indicate success: 403 (Forbidden).]
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +91716
LetsEncrypt.SiteExtension.Core.Services.CertificateService.Install(ICertificateInstallModel model) in J:\Projects\letsencrypt-siteextension\LetsEncrypt.SiteExtension.Core\Services\CertificateService.cs:57
LetsEncrypt.SiteExtension.Core.d__10.MoveNext() in J:\Projects\letsencrypt-siteextension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:150
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
LetsEncrypt.SiteExtension.Controllers.d__7.MoveNext() +581
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult) +97
System.Web.Mvc.Async.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) +17
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.AsyncInvocationWithFilters.b__3d() +50
System.Web.Mvc.Async.<>c__DisplayClass46.b__3f() +225
System.Web.Mvc.Async.<>c__DisplayClass33.b__32(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2b.b__1c() +26
System.Web.Mvc.Async.<>c__DisplayClass21.b__1e(IAsyncResult asyncResult) +100
System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.Controller.b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36
System.Web.Mvc.Controller.b__15(IAsyncResult asyncResult, Controller controller) +12
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +22 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.MvcHandler.b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +129`

@sjkp

This comment has been minimized.

Owner

sjkp commented May 26, 2017

Hi @ridicoulous are you sure the service principal have access to the app service plan resource group. The error happens when the letsencrypt certificate are attempted to be installed by calling the Azure API with the credentials of the service principal:

https://github.com/sjkp/letsencrypt-siteextension/blob/master/LetsEncrypt.SiteExtension.Core/Services/CertificateService.cs#L57

@dsghi

This comment has been minimized.

dsghi commented Jul 9, 2017

I also receive this error, though everything else works fine. I am able to manually retrieve my certificate off the file system and add it via the Azure Portal.

I have verified via logging it is failing where you've indicated:

2017-07-09T23:21:46  PID[7088] Error       Unabled to create Azure Web Site Management client System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at LetsEncrypt.SiteExtension.Core.Services.CertificateService.Install(ICertificateInstallModel model) in J:\Projects\letsencrypt-siteextension\LetsEncrypt.SiteExtension.Core\Services\CertificateService.cs:line 57
   at LetsEncrypt.SiteExtension.Core.CertificateManager.<RequestAndInstallInternalAsync>d__10.MoveNext() in J:\Projects\letsencrypt-siteextension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:line 139

I have given the service principal owner permissions, and quadruple checked my settings. I have even redeployed to a new app service plan and resource group without any luck.

Any suggestions for further troubleshooting?

@dsghi

This comment has been minimized.

dsghi commented Jul 9, 2017

Figured it out, it worked so well on my first site, I thought I could skim the instructions on the second. I mistakenly assigned permission to the app service and not the resource group. It worked as soon as I rectified this mistake. :)

@TripleEmcoder

This comment has been minimized.

TripleEmcoder commented Apr 23, 2018

I just made the same mistake as @dsghi - the permission must be on the resource group level. By the way, @sjkp why is that so? From a security standpoint it would be better to limit permissions to the actual resource.

Also, for anyone encountering this issue - give Azure a few minutes for the permissions to kick in. In my case another 403 was issued event after I correctly applied the contributor role. Had to give it some time and retry.

@sjkp

This comment has been minimized.

Owner

sjkp commented Apr 23, 2018

The reason why it is on resource group level, is because the certificates also gets installed as an azure resource, you can't see them in the portal interface (unless you check the show hidden types), but if you look in e.g. resources.azure.com you will see them. And because they are dangling in the resource group, permission for it is required. I can't change that, this is how MS implemented it unfortunately.

@TripleEmcoder

This comment has been minimized.

TripleEmcoder commented Apr 23, 2018

OK, thank you very much for the explanation. Good to know.

@avs099

This comment has been minimized.

avs099 commented Apr 29, 2018

got here searching for the same error code; turns out it's a duplicate of #194 as well. Whatever @dsghi suggested indeed was the reason - make sure you assign service principal to RESOURCE GROUP, not to APP SERVICE.

After I changed the permissions, things did not work. I waited for a few mins - nada. Then I deleted the app, created a new one - and only that helped. So once again - RTFM :)

@sjkp I believe this ticket can be closed. I tried to update the wiki to EMPHASIZE that you NEED TO USE RESOURCE GROUP - seriously, it should be like that, I'm not the only one who made this mistake - but github does not support pull requests for wikis. So please please do that update :) Thanks again for your work.

@sjkp sjkp closed this Jul 19, 2018

@drmohundro

This comment has been minimized.

Contributor

drmohundro commented Aug 8, 2018

Quick note if anyone else is having trouble, you shouldn't have to delete the app and create a new one, first try going to https://YOUR-SITE.scm.azurewebsites.net/SiteExtensions/ and then clicking "Restart Site" - that fixed the Resource Group permission issue for us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment