Skip to content

Commit 2b97703

Browse files
cretzcretz
authored
Document CA issues in AWS and Azure (#411)
Fixes #401
1 parent 139a853 commit 2b97703

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

README.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,9 @@ Extensions:
6868
- [Activity Testing](#activity-testing)
6969
- [OpenTelemetry Tracing Support](#opentelemetry-tracing-support)
7070
- [Built-in Native Shared Library](#built-in-native-shared-library)
71+
- [TLS/CA Loading Issues](#tlsca-loading-issues)
72+
- [AWS Lambda .NET CA Loading Issues](#aws-lambda-net-ca-loading-issues)
73+
- [Azure App Service CA Loading Issues](#azure-app-service-ca-loading-issues)
7174
- [Development](#development)
7275
- [Build](#build)
7376
- [Code formatting](#code-formatting)
@@ -1141,6 +1144,36 @@ could not be found.
11411144

11421145
See the earlier part of this section for details on what environments are supported.
11431146

1147+
### TLS/CA Loading Issues
1148+
1149+
Some platforms are not loading the system CA list properly due to quirks with how the platforms work.
1150+
1151+
#### AWS Lambda .NET CA Loading Issues
1152+
1153+
Due to a [recent change](https://github.com/aws/aws-lambda-dotnet/pull/1661) in newer AWS .NET Lambda images to force
1154+
override the `SSL_CERT_FILE` environment variable, the CA list cannot be loaded from the system properly in our
1155+
Rust-based extension. This may cause errors like:
1156+
1157+
> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, NativeCertsNotFound)
1158+
1159+
To fix, set the `SSL_CERT_FILE` environment variable to `/etc/ssl/certs/ca-certificates.crt` or
1160+
`/etc/pki/tls/certs/ca-bundle.crt` (both should work, though may have to try/test in case only one does). See
1161+
[this issue](https://github.com/aws/aws-lambda-dotnet/issues/1973) for more details.
1162+
1163+
#### Azure App Service CA Loading Issues
1164+
1165+
By default, Azure App Service on Windows does not load the user profile. This means our Rust-based extension that uses
1166+
[CertOpenStore](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore) to load the
1167+
"ROOT" system CA store does not work. This may cause errors like:
1168+
1169+
> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, NativeCertsNotFound)
1170+
1171+
or
1172+
1173+
> System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, Os { code: 5, kind: PermissionDenied, message: "Access is denied." })
1174+
1175+
To fix this, the `WEBSITE_LOAD_USER_PROFILE` environment can be set to `1` to load the user profile.
1176+
11441177
## Development
11451178

11461179
### Build

0 commit comments

Comments
 (0)