Intermittent failure to connect with SSL client certificate - Cannot load client private key
Posted: Tue 28 Feb 2017 18:44
We recently switched our ASP.NET web apps from password-based authentication to SSL client certificates. Now we are seeing intermittent failures in our logs when connecting to the database.
The issue seems to be more or less random and typically affects at most 1 or 2 out of ~10 web apps at a time. Sometimes restarting the app fixes it, and sometimes not. All web apps run under the same service account. It might be correlated with high database load, but we’re not sure.
For reference, we are using Entity Framework with a connection string that looks like this:
Steps taken to troubleshoot:
Database server is running PostgreSQL 9.4 on CentOS
Web apps are 64-bit running on IIS 8.5 on Windows Server 2012 R2
dotConnect for PostgreSQL Professional 7.3.342.0
Code: Select all
System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ----> Devart.Data.PostgreSql.PgSqlException: Cannot load client private key. ----> Devart.Security.SSL.u: Cannot load client private key. ----> System.Security.Cryptography.CryptographicException: Couldn't acquire crypto service provider context.
at Devart.Cryptography.al.a(IntPtr& A_0, String A_1)
at Devart.Cryptography.al.b()
at Devart.Security.g.a(Byte[] A_0)
at Devart.Security.g.h(String A_0)
at Devart.Common.af.a(String A_0, String A_1)
--- End of inner ExceptionDetail stack trace ---
at Devart.Common.af.a(String A_0, String A_1)
at Devart.Data.PostgreSql.y..ctor(String A_0, Int32 A_1, Encoding A_2, Int32 A_3, SslOptions A_4, ProxyOptions A_5, Int32 A_6)
--- End of inner ExceptionDetail stack trace ---
at Devart.Data.PostgreSql.w.y()
at Devart.Data.PostgreSql.w..ctor(PgSqlConnectionOptions A_0)...).
For reference, we are using Entity Framework with a connection string that looks like this:
Code: Select all
<add name="DatabaseEntities" connectionString="metadata=res://*/DatabaseDB.csdl|res://*/DatabaseDB.ssdl|res://*/DatabaseDB.msl;provider=Devart.Data.PostgreSql;provider connection string='User Id=myuser; Host=myserver;Database=mydatabase;Schema=dbo;SslMode=require;Ssl Key=postgres.key;Ssl Cert=postgres.crt; Persist Security Info=True'" providerName="System.Data.EntityClient" />
- Granted permissions on C:\ProgramData\Microsoft\Crypto\RSA to web app service account.
- Tried deleting keys from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
- Ran ProcMon to see if there were any access denied, file lock or similar errors, but found nothing.
Database server is running PostgreSQL 9.4 on CentOS
Web apps are 64-bit running on IIS 8.5 on Windows Server 2012 R2
dotConnect for PostgreSQL Professional 7.3.342.0