/ Sitecore

Sitecore Identity Server 404 Error in Azure PaaS

0 Shares

When running Sitecore in Azure PaaS, you may experience the following error in a Sitecore Identity Server.

At first you may be wondering if the site is gone, your domain has something off, or maybe the default page is wrong in Azure… but a 404 for a Sitecore Identity Server may be something else entirely!

What Causes a Sitecore Identity Server 404?

If you see the message above, and you have an Identity Server with files in its wwwroot in your Azure PaaS environment, this indicates a certificate error. Specifically, a self-signed cert used by the Sitecore Identity Service to ensure it renders over https.

If you view your logs, you may see an error like the following:

Error processing block: Sitecore.Plugin.IdentityServer.ConfigureSitecore Exception has been thrown by the target of an invocation. Certificate cannot be obtained with defined parameters.	

Sitecore.Plugin.IdentityServer.Configuration.CertificateResolver.GetCertificate	

System.Exception:
   at Sitecore.Framework.Pipelines.DefaultPipelineBlockRunner+<InvokeBlock>d__10.MoveNext (Sitecore.Framework.Pipelines.Abstractions, Version=7.0.0.0, Culture=neutral, PublicKeyToken=null)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Sitecore.Framework.Pipelines.DefaultPipelineBlockRunner+<RunAsync>d__8`1.MoveNext (Sitecore.Framework.Pipelines.Abstractions, Version=7.0.0.0, Culture=neutral, PublicKeyToken=null)
Inner exception System.Reflection.TargetInvocationException handled at Sitecore.Framework.Pipelines.DefaultPipelineBlockRunner+<InvokeBlock>d__10.MoveNext:
   at System.RuntimeMethodHandle.InvokeMethod (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Reflection.RuntimeMethodInfo.Invoke (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Reflection.MethodBase.Invoke (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Sitecore.Framework.Runtime.Web.SitecoreStartup.ConfigureSitecoreStartup+<>c__DisplayClass16_0.<FindConfigureServices>b__1 (Sitecore.Framework.Runtime.Web, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null)
   at Sitecore.Framework.Runtime.Web.SitecoreStartup.ConfigureSitecore+<>c__DisplayClass11_1.<FindConfigureServices>b__4 (Sitecore.Framework.Runtime.Web, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null)
   at Sitecore.Framework.Runtime.Web.ConfigureServicesBlock.Run (Sitecore.Framework.Runtime.Web.Abstractions, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null)
   at Sitecore.Framework.Pipelines.Abstractions.SyncBlockHandle`3.Run (Sitecore.Framework.Pipelines.Abstractions, Version=7.0.0.0, Culture=neutral, PublicKeyToken=null)
   at Sitecore.Framework.Pipelines.DefaultPipelineBlockRunner+<InvokeBlock>d__10.MoveNext (Sitecore.Framework.Pipelines.Abstractions, Version=7.0.0.0, Culture=neutral, PublicKeyToken=null)
Inner exception System.AggregateException handled at System.RuntimeMethodHandle.InvokeMethod:
   at Sitecore.Plugin.IdentityServer.Configuration.CertificateResolver.GetCertificate (Sitecore.Plugin.IdentityServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null)
   at Sitecore.Plugin.IdentityServer.ConfigureSitecore.ConfigureServices (Sitecore.Plugin.IdentityServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null)

This error is your hint that your certificate is off… it may be missing, or your thumbprint is not matching if the certificate is not missing.

How to Fix an Sitecore Identity Server 404 Error in Azure PaaS

The first step is to validate that you have the certificate used for the Identity Server in the Custom Domains section of your Azure PaaS App Service running the Sitecore Identity Server. If it is there, you will want to grab the thumbprint:

With this thumbprint, you now need to check two areas. First is that you have the thumbprint of your certificate used for the Sitecore Identity Server’s SSL/HTTPs entered into an Application Setting named WEBSITE_LOAD_CERTIFICATES. This Application Setting makes the thumbprint available to the application running in the Azure App Service.

With this in place, check within the Sitecore.IdentityServer.Host.xml file at the wwwroot\Config\production path within your Sitecore Identity Server. In Azure PaaS, Kudu is a useful tool to do this:

On line 5 of the above within the <CertificateThumbprint> node is where you will enter the thumbprint used in your self-signed certificate and also entered in the WEBSITE_LOAD_CERTIFICATES Application Setting.

With this in place, restart your Sitecore Identity Server Application Server and your 404 error should be resolved if it is due to the aforementioned log error.

But Wait! I Don’t Have a Certificate

If you discover that you are missing a self-signed certificate in your Sitecore Identity Server Application Service, you can use the following PowerShell to generate one and upload it to the “Bring your own certificates” tab of the Custom Domains option in your Azure Application Service.

From there, you would enter the thumbprint value into WEBSITE_LOAD_CERTIFICATES and in the Sitecore.IdentityServer.Host.xml file within your Sitecore Identity Server application.

Note that in the PowerShell below, you need to update values such as the Subject, Friendly Name, and Certificate File Path as appropriate. Feel free to turn these into inputable variables.

# Gemerates a New SSL Certificate

#USAGE 

$thumbprint = (New-SelfSignedCertificate `
    -Subject "CN=Subject Name here" `
    -Type SSLServerAuthentication `
    -FriendlyName "CN=Friendlynamehere" -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(2)).Thumbprint
    
$certificateFilePath = "c:\installation\$thumbprint.pfx"
Export-PfxCertificate `
    -cert cert:\LocalMachine\MY\$thumbprint `
    -FilePath "$certificateFilePath" `
    -Password (Read-Host -Prompt "Enter password that would protect the certificate" -AsSecureString)

Does This Work for Non-Azure PaaS Implementations?

Yes! The premise is the same for non-Azure PaaS Sitecore implementations, except in that case you would still generate your Self-Signed certificate but place it in the Trusted Root of your Certificate Store on the server running your Sitecore Identity Server, add the IIS binding for the certificate to your Identity Server IIS website, and update the Sitecore.IdentityServer.Host.xml file to the thumbprint of your newly created and accessible certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap