403 Forbidden When calling Azure rest api from an instance of a web role

Question

403 Forbidden When calling Azure rest api from an instance of a web role

I have a very strange problem. I published webrole for azure cloud service. This project requires the webrole to call the Azure Rest API, I can get the answer in the local emulator, but if I publish it before Azure, I get a 403 forbidden error. I am sure that I have installed the certificate on Azure.

This error can be reproduced in the following steps:

First create a certificate with the link below: http://msdn.microsoft.com/en-us/library/windowsazure/gg651127.aspx
Create a cloud service with webrole and a certificate on the Azure portal, a cloud service certificate and a webrole-> property-> certificate.
Publish a project.
Remote login to an instance of a web role.
Create a console application on the local computer, then copy the debug folder to the remote instance and run exe on the remote application. you may find that the application can work perfectly locally, but in the Azure instance it seems that it can find the certificate, but still get a 403 forbidden error.

Console application code:

static void Main(string[] args)
    {
        try
        {
            // X.509 certificate variables.
            X509Store certStore = null;
            X509Certificate2Collection certCollection = null;
            X509Certificate2 certificate = null;

            // Request and response variables.
            HttpWebRequest httpWebRequest = null;
            HttpWebResponse httpWebResponse = null;

            // Stream variables.
            Stream responseStream = null;
            StreamReader reader = null;

            // URI variable.
            Uri requestUri = null;

            // Specify operation to use for the service management call.
            // This sample will use the operation for listing the hosted services.
            string operation = "hostedservices";

            // The ID for the Windows Azure subscription.
            string subscriptionId = "";

            // The thumbprint for the certificate. This certificate would have been
            // previously added as a management certificate within the Windows Azure management portal.
            string thumbPrint = "";

            // Open the certificate store for the current user.
            certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            certStore.Open(OpenFlags.ReadOnly);

            // Find the certificate with the specified thumbprint.
            certCollection = certStore.Certificates.Find(
                                 X509FindType.FindByThumbprint,
                                 thumbPrint,
                                 false);

            // Close the certificate store.
            certStore.Close();

            // Check to see if a matching certificate was found.
            if (0 == certCollection.Count)
            {
                throw new Exception("No certificate found containing thumbprint " + thumbPrint);
            }

            // A matching certificate was found.
            certificate = certCollection[0];
            Console.WriteLine("Using certificate with thumbprint: " + thumbPrint);

            // Create the request.
            requestUri = new Uri("https://management.core.windows.net/"
                                 + subscriptionId 
                                 + "/services/" 
                                 + operation);

            httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(requestUri);

            // Add the certificate to the request.
            httpWebRequest.ClientCertificates.Add(certificate);

            // Specify the version information in the header.
            httpWebRequest.Headers.Add("x-ms-version", "2011-10-01");

            // Make the call using the web request.
            httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();

            // Display the web response status code.
            Console.WriteLine("Response status code: " + httpWebResponse.StatusCode);

            // Display the request ID returned by Windows Azure.
             if (null != httpWebResponse.Headers)
             {
                 Console.WriteLine("x-ms-request-id: "
                 + httpWebResponse.Headers["x-ms-request-id"]);
             }

            // Parse the web response.
            responseStream = httpWebResponse.GetResponseStream();
            reader = new StreamReader(responseStream);
            // Display the raw response.
            Console.WriteLine("Response output:");
            Console.WriteLine(reader.ReadToEnd());

            // Close the resources no longer needed.
            httpWebResponse.Close(); 
            responseStream.Close(); 
            reader.Close();
        }
        catch (Exception e)
        {

            Console.WriteLine("Error encountered: " + e.Message);

            // Exit the application with exit code 1.
            Console.ReadLine();
            System.Environment.Exit(1);

        }
        finally
        {
            // Exit the application.
            Console.ReadLine();
            System.Environment.Exit(0);
        }
    }

+4

azure

EthenHY Nov 08 '13 at 2:49

source share

3 answers

jeffaudio · Answer 1 · 2013-11-19T17:07:52+0000

I ran into the same problem using the azure create cert link you provided. I learned that when creating a certificate using this method, the private key was not uploaded to the cloud service. Although the service was able to find the certificate, it was still unauthorized when sending requests.

. Visual Studio .cer .pfx:

makecert -r -pe -n "CN=AzureManage" -sky exchange "AzureManage.cer" -sv "AzureManage.pvk"
pvk2pfx -pvk "AzureManage.pvk" -spc "AzureManage.cer" -pfx "AzureManage.pfx" -pi password

. . pfx. -pi password , , .

:

pfx / mmc.
pfx Azure Cloud Service.
Azure Management.
pfx Azure.

API REST Azure :

X509Certificate2 GetCertificate(string thumbprint)
{
  var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
  store.Open(OpenFlags.ReadOnly);
  var certs = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

  if (certs.Count == 0) return null;
  var cert = certs[0];
  store.Close();
  return cert;
}

HttpWebRequest request = WebRequest.CreateHttp(apiUrl);
request.ClientCertificates.Add(cert);
request.Headers.Add("x-ms-version", "2012-03-01");

Igorek · Answer 2 · 2013-11-08T03:08:59+0000

, :

certStore = new X509Store(StoreName.My, **StoreLocation.CurrentUser**);

, ( , .pfx) LocalMachine, CurrentUser.

, , ( / visual studio).

Gaurav mantri · Answer 3 · 2013-11-08T03:46:48+0000

+1 @Igorek. . , CurrentUser , , -, certifcate, Worker LocalUser.

However, this does not seem to be the main cause of the problem. Can you make sure that the same certificate is located in the section Management Certificateson the portal (it exports the 1st one in the file format and uploads it there), and the certificate installed in the role has private properties attached to it. These two causes are the main cause of error 403.

403 Forbidden When calling Azure rest api from an instance of a web role

More articles: