Kubernetes: ASP.NET Core HTTPS and mac verify failure

You are trying to configure HTTPS in ASP.NET Core to run on Kubernetes, successfully mounted secret data volumes and defined ASP.NET environment variables, however, the following error appears in the pod’s log:

error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password)

The reason is quite simple – a wrong password. Check out the manifest examples below to understand the behavior.

<doesn’t work> Kubernetes deployment manifest:

env:
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: /var/secrets/password #wrong!
        

<works> Kubernetes deployment manifest:

env:       
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              valueFrom: #works!
                secretKeyRef:
                  name: backend-tls
                  key: password

Noticed the difference? Instead of using the data volume path to the secret key “password” (cat /var/secret/password outputs the password without any issues, by the way), you need to explicitly define the env value by referring to the secret’s key. In my case, “/var/secret/password” (text, not a secret itself!) was assigned to the variable’s value and it was unexpected.

In short, check if the password is correct and try to define the secret as an environment variable rather than using data volumes.

Passed Microsoft Certified: Azure DevOps Engineer Expert (AZ-400)

Today I have finished my Azure certification path by successfully passing the AZ-400: Microsoft Azure DevOps Solutions exam. This exam measures your ability to accomplish the following technical tasks: design a DevOps strategy, implement DevOps development processes, implement continuous integration, continuous delivery, dependency management, application infrastructure, and continuous feedback.

The exam consists of 2 case studies, 12 lab tasks, 42 test questions that must be answered in 180 minutes. I had two lab tasks that couldn’t be finished because of Azure environment issues (exam’s account didn’t have required permissions on Azure resources to complete certain sub-tasks). Fortunately, I was pretty sure for overall result and, after speaking with proctor, decided to jump into the next exam’s sections.

How to prepare

  1. You must either earn the Azure Administrator Associate or Azure Developer Associate certification
  2. You must have an active Azure DevOps account. The Azure Pipelines and Azure Repos are needed at least.
  3. Check out the free Azure/DevOps training courses (AZ-400 OpenEDX that’s based on MCT training guides and AzureDevOps Labs). In addition, there are a lot of videos at Pluralsight for getting started with Azure DevOps and understand DevOps principles.
  4. The labs are all about Azure Services (IaaS/PaaS/IaC), so you must know how to prepare environments for CD, environment types and differences between them, make IaC, understand security options for each Azure resource, CI/CD. Also, I was pretty surprised to see the lab tasks to be completed on localhost file system before pushing the code to Azure.
  5. The certification will be valid only for 2 years, so keep learning and practice every day! I wish you good luck on the exam and may the force be with you.

%d bloggers like this: