Geek Answers Handbook

Connect the Azure website to the Xero Partner app

I integrate my application with Xero, which requires two certificates. I uploaded them to Azure using this article, but I still cannot connect to the Xero API . I hope someone has experience integrating the Xero Partner app with the Azure web app.

I downloaded two pfx files; one is a self-signed certificate and the other is a partner certificate issued by Xero. The last pfx file contains two certificates; Entrust Commercial Private Sub CA1 (whatever the means) and a unique Entrust Identity Certificate for my application.

I use the following code to download certificates by their unique fingerprint:

static X509Certificate2 GetCertificateFromStore(string thumbprint) { var store = new X509Store(StoreLocation.CurrentUser); try { thumbprint = Regex.Replace(thumbprint, @"[^\da-zA-z]", string.Empty).ToUpper(); store.Open(OpenFlags.ReadOnly); var certCollection = store.Certificates; var currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false); var signingCert = currentCerts.Find(X509FindType.FindByThumbprint, thumbprint, false); if (signingCert.Count == 0) { throw new Exception($"Could not find Xero SSL certificate. cert_name={thumbprint}"); } return signingCert[0]; } finally { store.Close(); } }

This works fine locally, but on my azure website I get 403.7 error:

 The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

I also reviewed the following links to try to solve the problem:

What I have not tried yet:

  • Convert my web application to a cloud service; trying to avoid this, however I'm not sure what steps are involved.
  • Using a virtual machine; I have not found any detailed steps on how to do this, but it looks better than the above.

Error Screenshot: Mistake

+7
c # azure x509 xero-api
source share
3 answers

I finally got this job, and I will post my solution, which we hope will save developers a lot of time and frustration when connecting to Xero.

Xero Partner will not work with Azure App Services (websites). You must download two additional certificates along with your self-signed and Xero partner certificate. They can be found on your local machine and can be exported in cer format (details of these certificates are below). Failure to download these certificates for Azure application services is indeed a crutch. They must also be downloaded to certain stores (Root / CA) that you cannot use with applications. These are the steps I took to connect to Xero.

  • Transformed my website into Azure Cloud Services: I’m tired of changing our environment because we already have a live website. It turns out that cloud services are essentially the same as application services; you are still hosted on a virtual machine somewhere. However, you have more control over the rear end and you can use Remote Desktop. More details here . The links used below to create and convert my website into cloud services:

  • Uploaded 4 certificates to my cloud project using the azure portal. You need to download the following:

    • Your self-signed certificate (the one you created here )
    • Xero partner certificate (you probably got it here )
    • Intermediate Entrust certificate (this must be contained in the .p12 file that you downloaded above).
    • Entrust Root Certificate (this should be in your Trusted Root Store **)

  • Added certificates of my role in the Cloud project. You must right-click on the properties of your web role and go to the certificates tab. Add all 4 certificates to your web role using the fingerprint that will be displayed on the portal after it is downloaded. Pay attention to the store name for two trusted certificates :

enter image description here

You may have to take a lot of patience as I have to go through the first step. You will need to figure out a new deployment process, how to debug your project locally, and possibly a lot of other nasty tidbits!

** This is the correct Root Certificate of Correction, which you can get with certmgr.msc:

enter image description here

+1
source share

Error 403 means that we do not see the Xero Entrust certificate in the connection. More on this here - http://blog.xero.com/developer/api-overview/http-response-codes/#403

Basically, it runs on your local IIS instance, as it is the "only tenant" where your application does not need to be isolated from others.

While the application is blocked by the security model used to isolate websites.

In general, you should do the following in order to obtain certificates working on Azure:

1) Export the certificate, private key, and all intermediate certificates to a PFX file.

2) Upload the certificate using the Azure portal to the cloud service that you are using (it should be displayed as several records).

3) Get access to the certificate through the device store in code.

Based on data taken from: https://community.xero.com/developer/discussion/626401

https://social.msdn.microsoft.com/Forums/azure/en-US/29b30f25-eea9-4e8e-8292-5ac8085fd42e/access-to-certificates-in-azure-web-sites

I hope he solved your problem.

+3
source share

Make sure you add the application setting from step 2 of your article link .

Adding an application parameter named WEBSITE_LOAD_CERTIFICATES with its value set to the certificate thumbprint will make it available for your web application. You can have multiple fingerprint values ​​separated by commas, or you can set this value to "*" (without quotation marks), in which case all your certificates will be uploaded to the personal certificate store of your web applications.

I would also be more specific when specifying a certificate store, i.e. use:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

This is how we download certificates in all of our Azure Web Apps.

0
source share

More articles:


All Articles