Author: rlevchenko

This SysAdmin Day, WIN with Altaro!

SysAdmin Day has arrived, and with it, gratitude for all the unsung heroes that 2020 has needed. Your hard work has made it possible for all of us to keep going, despite all challenges thrown our way. Now it is Altaro’s turn to thank YOU.

If you are an Office 365, Hyper-V or VMware user, celebrate with Altaro. Just sign up for a 30-day free trial of either Altaro VM Backup or Altaro Office 365 Backup – it’s your choice!

What can you win?

  • Receive a €/£/$20 Amazon voucher when you use your trial of Altaro Office 365 Backup or Altaro VM Backup
  • Get the chance to also win one of their Grand Prizes by sharing your greatest 2020 victory with Altaro in an up to 60-seconds video.

What are you waiting for?

Sign up now!

Kubernetes: ASP.NET Core HTTPS and mac verify failure

You are trying to configure HTTPS in ASP.NET Core to run on Kubernetes, successfully mounted secret data volumes and defined ASP.NET environment variables, however, the following error appears in the pod’s log:

error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password)

The reason is quite simple – a wrong password. Check out the manifest examples below to understand the behavior.

<doesn’t work> Kubernetes deployment manifest:

env:
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: /var/secrets/password #wrong!

<works> Kubernetes deployment manifest:

env:       
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              valueFrom: #works!
                secretKeyRef:
                  name: backend-tls
                  key: password

Noticed the difference? Instead of using the data volume path to the secret key “password” (cat /var/secret/password outputs the password without any issues, by the way), you need to explicitly define the env value by referring to the secret’s key. In my case, “/var/secret/password” (text, not a secret itself!) was assigned to the variable’s value and it was unexpected.

In short, check if the password is correct and try to define the secret as an environment variable rather than using data volumes.