3

Before writing this question I have gone through a lot of questions and answers but I can't seem to find a solution. What I'm trying to do is host an application as a Azure App Service that needs to make a call to the Swish API.

Please see this thread for how my implementation runs locally which works fine:

C# HttpClient with X509Certificate2 - WebException: The request was aborted: Could not create SSL/TLS secure channel

System diagnostics log from Azure:

https://pastebin.com/EBFb3zrA

I have tried the solutions from Microsoft forums and SO but none seem to do the trick:

https://social.msdn.microsoft.com/Forums/azure/en-US/ca6372be-3169-4fb5-870f-bfbea605faf6/azure-webapp-webjob-exception-could-not-create-ssltls-secure-channel?forum=windowsazurewebsitespreview

//Tested both, none of them work
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
//ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11

Since a lot of the questions are based on accessing an external service and not sending a client certificate the complexity rises a bit as well.

What I have done is in the SSL certificates tab on Azure import the Test certificate. Since .p12 and .pfx are both PKCS #12 files I just renamed the .p12-file. The application runs as B1 Basic App Service Plan so most functionality should be present.

https://stackoverflow.com/a/6821061/3850405

I have also tried this guide to add the certificate to the certificate store in Azure -> Application settings -> App Settings:

https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

When this did not work I tried to add WEBSITE_LOAD_CERTIFICATES to appSettings in my application but it resulted in a HTTP 503.

Swish certificate and English guide:

https://www.getswish.se/content/uploads/2015/06/Guide-Testverktyg_20151210.zip

Ogglas
  • 50,115
  • 30
  • 272
  • 333
  • 1
    As I known, The certificate you uploaded to your web app will only be installed to the Personal certificate store. While I followed your swish certificate guide, I found it would be stored into `Trusted Root Certification Authorities`, I assumed that it could be the cause. – Bruce Chen May 30 '17 at 09:46
  • @Bruce-MSFT Yes I think this is the problem as well. Running it as a `virtual machine` now and it works fine. Would be nice if it were possible to do it as `App Service` though. – Ogglas May 30 '17 at 14:59
  • Did you manage to get this to work? Im looking for the same thing here. – JeppePepp Sep 19 '18 at 19:07
  • @JeppePepp No it will not work. I asked Microsoft directly about trusting their certificate but the request was denied. We solved it by hosting it as a Virtual machine and from there add their certificate to Trusted Root Certification Authorities. https://feedback.azure.com/forums/169385-web-apps/suggestions/19533202-ability-to-use-the-swedish-payment-solution-swish – Ogglas Sep 19 '18 at 19:51
  • Alright thanks for your answer. I know this question is quite old so I was crossing my fingers u had some great news to share. I'll stick with klarna for now :) – JeppePepp Sep 19 '18 at 20:03

2 Answers2

3

We were able to make this work in an Azure Web App. The trick was the appSetting WEBSITE_LOAD_CERTIFICATES and to upload all Swish certificates in the Azure portal. That is, the .pfx file from Swish contains three certs where two of them are root certs. So we exported the root certs and uploaded the .cer files under TLS/SSL settings -> Public Key Certificates (.cer) and then it started to work. You also need to upload them to all deployment slots since the certs will not be automatically copied to the slots.

Anders Ekdahl
  • 22,105
  • 4
  • 69
  • 58
  • Did you have to something else in the code to use the root certs? When I create my HttpClient, I add the client certificate that I find with `certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)`, but that only seems to add the client cert itself, and no the root certs. Do you add them to `HttpClientHandler.ClientCertificates` as well? – Johan Driessen Mar 12 '20 at 11:11
  • Yes, exactly, we add them to `HttpClientHandler.ClientCertificates`. – Anders Ekdahl Mar 12 '20 at 12:40
  • 1
    The answer here is absolutely correct. However, if anyone would like a more comprehensive guide how to get this working, I've written one on my blog: https://johan.driessen.se/posts/Calling-the-Swish-Payment-API-from-Azure-AppService/ – Johan Driessen Mar 16 '20 at 09:50
0

According to your scenario, I also checked by adding cert file to a Resources File and construct the X509Certificate2 instance by the following code snippet:

var certBytes=(byte[])ResourceManager.GetObject("Swish_Certificate");
var certificate = new X509Certificate2(certBytes, "swish");

Per my test, I assumed that you could not implement Swish payment on Azure Web App. Additionally, you could add your feedback for azure web app here.

Bruce Chen
  • 17,799
  • 2
  • 17
  • 31