Unable to get to /Sitefinity with v10 on an upgraded site
I just get this error, and that config URL it specifies loads just fine. I get this just loading the page itself, not evenat the login screen.
Are there some upgrade docs anywhere, maybe I'm missing something over what the basic upgrade applies?
Server Error in '/' Application.
The remote certificate is invalid according to the validation procedure.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +298
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +150
[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +764
System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +78
[HttpRequestException: An error occurred while sending the request.]
[AggregateException: One or more errors occurred.]
System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +4492572
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +208
[IOException: Unable to get document from: https://dev.sitefinitysteve.com/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration]
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +664
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() +290
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +929
[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://dev.sitefinitysteve.com/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration'.]
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Owin.Security.OpenIdConnect.<ApplyResponseChallengeAsync>d__c.MoveNext() +728
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120
Hi Steve,
How did you perform the upgrade procedure? There are quite a bit of changes to the web.config. You can try upgrading using the Project Manager. The Project Manager will apply web.config changes automatically and add new references to your .csproj.
Regards,
Georgi
Yeah i pretty much exclusively use the project manger for updates for this exact reason :/
Is ssl REQUIRED? Like in a new site it wouldn't be there but an existing site using ssl pulled down local with an invalid cert?
Hi Steve,
You could take a look at the documentation about certificates.
docs.sitefinity.com/authentication-flow-and-certificates
"You must configure this certificate, by navigating to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » SigningCertificate."
If you cannot login you should apply those changes using the config file. (e.g. you could create a new test project apply the setting and use it to the existing project). Or you could turn off the SSL and configure it and then turn it back.
Regards,
Dimitar
The problem isn't even I can't login, it's I can't get to /Sitefinity though... like I dont even get to the point of seeing the login page, just throws the above error
Take a look at the documentation and you should register a valid certificate for dev.sitefinitysteve.com
You could apply the changes before login in Sitefinity - by using Authentication.config file directly in AppData/Sitefinity (as I mentioned in my previous answer).
D
Okay will try, thx!
Yeah that's it I guess, if I remove the HTTPS redirect in the webconfig I can get to the backend now... guess I'll play around with trying to add the cert per your doc there, thx!
Okay not sure what else to do here...
I have a trusted cert, it's added to the Authentication.config
<?xml version="1.0" encoding="utf-8"?>
<authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" encryptionKey="">
<securityTokenServiceSettings>
<identityServerSettings>
<signingCertificate subjectName="dev.sitefinitysteve.com" />
</identityServerSettings>
</securityTokenServiceSettings>
</authenticationConfig>
Still get the error on login
Hmm, so just trusted in chrome I think is the problem then clearly, how can it be globally trusted? Saw this in the warmup logs
Timestamp: 2017-03-15 5:36:36 PM
Message: The page 'dev.sitefinitysteve.com/' failed to warmup with error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.. Requested URL: dev.sitefinitysteve.com/
Eugh this is frustrating
Okay imported the cert to the WINDOWS global trusted store, now all the errors are gone, site warmup seems okay as well (and seems to work! :D)
So now the last issue is that when I try to log in with my local creds (which work on http) I get the attached Message in the Login UI
...turn off HTTPS, log in with those same creds, all good again.
Keep in mind that enabling https requires all of the site to use it. Otherwise the cookies wont be sent.
Take a look at - docs.sitefinity.com/administration-configure-http-and-https-bindings-to-work-simultaneously.
Have you checked Sitefinity/Administration/Settings/Advanced/Authentication > Require Https?
For investigation of such errors - you can turn on the IdentityServer logging
Sitefinity/Administration/Settings/Advanced/Authentication > SecurityTokenService > IdentityServer > Enable logging and check the Authentication log. There you will find the error details.
The reason not showing the details is that there may be a security sensitive info that the end user should not see.
For more information docs.sitefinity.com/turn-on-authentication-logging
Best,
Dimitar
Can we get the docs updated with the XML for the .config files? If I can't login I can't get to these pages (working on updating another site atm)... would be nice to just open the config and paste in the settings instead of needing to JustDecompile it to find the propery names (would just be more handy)
Okay for anyone else, the error was
Message: Signing certificate has not private key or private key is not accessible. Make sure the account running your application has access to the private key
1) Open your Certificates MMC
2) Find your cert
3) Right Click->All Tasks->Manage Private Keys
4) Add your app pool to the list
Hi Steve and Dimitar,
After I upgrade Sitefinity 9.2 to 10 I cannot anymore see the login backend page. I receive immediately a 401 error.
I upgrade my development site with Project Manager and the upgrade was successfully. I launch succesfully the dev website and receive a sucessfully check for the database upgrade. I see no problem into the upgrade log.
To be sure it's not coming of my server I create a new project with Project Manager and launch this new project website I can see the login backend page.
I use IISexpress and Visual Studio for both. Configure in https with Visual Studio, he create for me IIS Express Developement Certificate.
I don't know why with the new project it's ok and for the upgrade website I receive a 401 error page (see attachment).
I look also into log of iisExpress use fiddler but don't find why this issue is coming with my upgrade website. Compare dll and also web.config. Try a lot of thing without success :-/
Can someone give me a help?
In the SecurityConfig. do you have "authenticateOnFrontendLoginPage" set to true?
Right Steve I missed to tell that. Originally he was set to true "authenticateOnFrontendLoginPage" into SecurityConfig.
I test it also without this term and also with "False" but I receive always 401.
Perhaps he record this into a DB file???
You've shut the browser down, cleared cache... she's all clean that way?
Are there any logs that give any details?
What about enabling auth logs?
<?xml version="1.0" encoding="utf-8"?><authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" encryptionKey="***"> <relyingPartySettings authCookieExpirationTime="1140" authCookieSecureOption="Never" /> <securityTokenServiceSettings> <identityServerSettings enableLogging="True"> <signingCertificate subjectName="***" /> </identityServerSettings> </securityTokenServiceSettings></authenticationConfig>I clear cache of the browser,
Here the authenticationconfig:
<?xml version="1.0" encoding="utf-8"?><authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" requireHttps="True" encryptionKey="***"> <relyingPartySettings authCookieSecureOption="Never" /> <securityTokenServiceSettings> <signingCertificate subjectName="localhost" /> <identityServerSettings enableLogging="True" /> </securityTokenServiceSettings></authenticationConfig>
I use visual studio to launch my dev project and he use localhost:<port> in https.
I receive no log about authentication because he finish before. He stop immediately
About log into IISexpress I can found this but he don't give me a solution...
<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type='text/xsl' href='freb.xsl'?>
<!-- saved from url=(0014)about:internet -->
<failedRequest url="localhost:44386/sitefinity"
siteId="2"
appPoolId="Clr4IntegratedAppPool"
processId="12244"
verb="GET"
remoteUserName=""
userName=""
tokenUserName="WEBDEV1\gs1admin"
authenticationType="anonymous"
activityId="80000110-0000-EE00-B63F-84710C7967BB"
failureReason="STATUS_CODE"
statusCode="401"
triggerStatusCode="401"
timeTaken="46"
xmlns:freb="schemas.microsoft.com/.../freb"
>
If I use the new project into this same log I receive a status-code 200. With the same new project I can also use a "restlet Client" plugin from Chrome and get a response with this line "/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration"
With my sitefinity dev I receive 401 error.
Finally after a suggestion of Sitefinity support to use the web.config file of the _empty project I do a compare of my web.config and the _empty web.config file. And find which line who causes the issue.
It was this line: "<add key="owin:AutomaticAppStartup" value="false" />" I comment this line and now I can acces to the backend login.
Hope that can help other people.
Regards,For applications with Configuration files in Azure Database, you need to manually update sf_xml_config_items table with AuthenticationConfig.config settings mentioned above
Hello, we are using wildcard certificate and can't get this thing working.
We try knowledgebase.progress.com/.../IDX10803-Unable-to-create-to-obtain-configuration-from-error-when-trying-to-authenticate and configuration sugested above.
Our certificate has complex subject, with CN, O, L, S and C set(CN=*.domain.si,O=our company,L=city,s=city,C=US). How do we set subjectName attribute on signingCertificate element. Currently we tried "*.domain.com".
Copy of page with same configuration but nonwildcard certificate works fine in other server.
Regards,