Kubernetes: ASP.NET Core HTTPS and mac verify failure

You are trying to configure HTTPS in ASP.NET Core to run on Kubernetes, successfully mounted secret data volumes and defined ASP.NET environment variables, however, the following error appears in the pod’s log:

error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password)

The reason is quite simple – a wrong password. Check out the manifest examples below to understand the behavior.

<doesn’t work> Kubernetes deployment manifest:

env:
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: /var/secrets/password #wrong!
        

<works> Kubernetes deployment manifest:

env:       
            - name: "Kestrel__Certificates__Default__Path"
              value: /var/secrets/cert #data volume must be used here
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              valueFrom: #works!
                secretKeyRef:
                  name: backend-tls
                  key: password

Noticed the difference? Instead of using the data volume path to the secret key “password” (cat /var/secret/password outputs the password without any issues, by the way), you need to explicitly define the env value by referring to the secret’s key. In my case, “/var/secret/password” (text, not a secret itself!) was assigned to the variable’s value and it was unexpected.

In short, check if the password is correct and try to define the secret as an environment variable rather than using data volumes.

Azure Policy: Deny HTTP listeners (Application Gateway)

Here is the second Azure Policy example in addition to the first one . The following policy is quiet simple and denies creation of HTTP listeners for Application Gateways, so only HTTPS Listeners are allowed:

#Version1
{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyof": [
        {
          "not": {
            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol",
            "notEquals": "Http"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

#Version2
{
  "mode":"All"
  "policyRule": {
    "if": {

        "not": {

            "equals": "Https",

            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol"

        }

    },

    "then": {

        "effect": "deny"

    }
},
"parameters": {}
}

To assign the policy by using PowerShell:

# Create the Policy Definition (Subscription scope)
$policyrules = "URI here"
$policyparams = "URI here (optional)"
$definition = New-AzPolicyDefinition -Name 'Deny HTTP Listeners' -Policy $policyrules  -Parameter $policyparams -Mode All

# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzResourceGroup -Name 'mvphero'

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Deny HTTP Listeners' -DisplayName 'Deny Application Gateway HTTP Listeners' -Scope $scope.ResourceId -PolicyDefinition $definition