Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document CA issues in AWS and Azure #411

Merged
merged 1 commit into from
Feb 11, 2025
Merged

Document CA issues in AWS and Azure #411

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ Extensions:
- [Activity Testing](#activity-testing)
- [OpenTelemetry Tracing Support](#opentelemetry-tracing-support)
- [Built-in Native Shared Library](#built-in-native-shared-library)
- [TLS/CA Loading Issues](#tlsca-loading-issues)
- [AWS Lambda .NET CA Loading Issues](#aws-lambda-net-ca-loading-issues)
- [Azure App Service CA Loading Issues](#azure-app-service-ca-loading-issues)
- [Development](#development)
- [Build](#build)
- [Code formatting](#code-formatting)
Expand Down Expand Up @@ -1141,6 +1144,36 @@ could not be found.

See the earlier part of this section for details on what environments are supported.

### TLS/CA Loading Issues

Some platforms are not loading the system CA list properly due to quirks with how the platforms work.

#### AWS Lambda .NET CA Loading Issues

Due to a [recent change](https://github.com/aws/aws-lambda-dotnet/pull/1661) in newer AWS .NET Lambda images to force
override the `SSL_CERT_FILE` environment variable, the CA list cannot be loaded from the system properly in our
Rust-based extension. This may cause errors like:

> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, NativeCertsNotFound)

To fix, set the `SSL_CERT_FILE` environment variable to `/etc/ssl/certs/ca-certificates.crt` or
`/etc/pki/tls/certs/ca-bundle.crt` (both should work, though may have to try/test in case only one does). See
[this issue](https://github.com/aws/aws-lambda-dotnet/issues/1973) for more details.
#### Azure App Service CA Loading Issues

By default, Azure App Service on Windows does not load the user profile. This means our Rust-based extension that uses
[CertOpenStore](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore) to load the
"ROOT" system CA store does not work. This may cause errors like:

> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, NativeCertsNotFound)

or

> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, Os { code: 5, kind: PermissionDenied, message: "Access is denied." })

To fix this, the `WEBSITE_LOAD_USER_PROFILE` environment can be set to `1` to load the user profile.

## Development

### Build
Expand Down
Loading