10

We are deploying our first .NET Core application on Linux (Ubuntu 18.04 LTS and Apache2).

We do not know the certificates of the servers where they will be deployed nor the ports where they will be deployed, since they are the client's and we do not have access, so we need to be able to enter them by configuration in the appsettings (Kestrel configuration).

In windows the api works without problems in both http and https, putting this configuration in the appsettings.json and reading it in the Startup.cs like this:

// kestrel configuration
services.Configure<KestrelServerOptions>(Configuration.GetSection("Kestrel"));

Our windows configuration of the appsettings.json is:

"AllowedHosts": "*.mydomain.es;*.mydomain-eu.com;test-win;test-linux;localhost;127.0.0.1;*.myActiveDirectoryDomain.ad",
"Kestrel": {
"Endpoints": {
  "Http": {
    "Url": "http://localhost:5009"
  }
  ,"Https": {
    "Url": "https://localhost:5010"    
  }
}
}

When deployed on Linux with the same configuration, the Kestrel service does not start. Kestrel service error:

sudo systemctl status kestrel-apieu.service ● kestrel-apieu.service - Example ASP .NET Api running on Ubuntu 18.04 Loaded: loaded (/etc/systemd/system/kestrel-apieu.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: core-dump) since Thu 2020-02-06 09:13:20 CET; 4s ago Process: 4449 ExecStart=/usr/bin/dotnet /var/www/core/api/apieu/HHHHH.JJJJJJJJ.Api.UnitsEuApi.dll (code=dumped, signal=ABRT) Main PID: 4449 (code=dumped, signal=ABRT)

Removing the https part works in http without any problems, like this:

"Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://localhost:5009"
      } 
    }
  }

Kestrel service running:

sudo systemctl status kestrel-apieu.service ● kestrel-apieu.service - Example ASP .NET Api running on Ubuntu 18.04 Loaded: loaded (/etc/systemd/system/kestrel-apieu.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-02-06 09:16:19 CET; 2s ago Main PID: 5504 (dotnet) Tasks: 17 (limit: 4660) CGroup: /system.slice/kestrel-apieu.service └─5504 /usr/bin/dotnet /var/www/core/api/apieu/HHHHH.JJJJJJJJ.Api.UnitsEuApi.dll

When we set this configuration, to the server's self-signed certificates .crt the Kestrel service lifts but does not work on https.

Configuration appsetings:

"AllowedHosts": "*.mydomain.es;*.mydomain-eu.com;test-win;test-linux;localhost;127.0.0.1;*.myActiveDirectoryDomain.ad",
"Kestrel": {
"Endpoints": {
  "Http": {
    "Url": "http://localhost:5009"
  }
  ,"Https": {
    "Url": "https://localhost:5010", // we also tried: "https://*:5010"
    "Certificate": {
      "Path": "/etc/apache2/ssl/apache.crt",
      "Password": "/etc/apache2/ssl/apache.key",
      "AllowInvalid": true
    }
  }
}

http://localhost:5009/test work's perfectly, but https://localhost:5010/test send error:

Secure Connection Failed

An error occurred during a connection to localhost:5010. PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

But the self-signed certificate does allow you to enter https://localhost without problems (once you trust the certificate).

We have also tried to convert the self-signed .crt certificate to .pfx (with OpenSSL -> convert crt to pfx certificate) and configure it this way:

"Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://localhost:5009"
      }
    ,"Https": {
        "Url": "https://*:5010",
        "Certificate": {
          "Path": "/etc/apache2/ssl/apache.pfx",
          "Password": "passwdExport"
          ,"AllowInvalid": true
        }
        }

    }
  }

But it also doesn't lift the service and it doesn't work on either http or https.

We've looked at all these help pages, among others:

.net core Kestrel server SSL issue

Certificate issue in Kestrel ssl JSON configuration using .net Core 3.1

Asp.Net Core 2.0 HTTP -> HTTPS on Kestrel

Will a self-signed certificate work behind an Apache reverse-proxy?

The problem seems to be that we're not properly configuring the Kestrel with the self-signed certificate. But we can't find our mistake. Can you help us?

In case you can give more information we opened another previous post, it was more generic because we did not know that the problem came from the Kestrel but we thought it was from the Apache2: deploy NET Core Linux HTTPS SSL

Cfun
  • 8,442
  • 4
  • 30
  • 62
sanmolhec
  • 396
  • 3
  • 11
  • Did you ever figure out what the problem was? – Scott Reece Jun 09 '20 at 01:42
  • 1
    Hi. NO. I'm still trying to figure out how to make it work on https under Linux. When I get it, I'll publish a solution. If anyone can contribute anything it will be welcome. In any case, it seems that it is not bad practice to redirect from Apache https (or similar) to local http. – sanmolhec Jun 12 '20 at 08:38
  • 1
    Same error, only dev-certs are working. Tryed to use `ASPNETCORE_Kestrel__Certificates__Default__Password=` and `ASPNETCORE_Kestrel__Certificates__Default__Path=/root/.dotnet/https/certificate.pfx` to setup certificate for kesterl but also not working. It seems that there is no solution at the moment (using .net core 3.1). – sunriax Oct 23 '20 at 05:55
  • On Github i found [this](https://github.com/dotnet/aspnetcore/issues/27033). Time on the system wasnot correct. – sunriax Oct 23 '20 at 06:35
  • For Ubuntu users you can try this: Once you've created the *.pfx file (usilng openssl) and registered it using the certutil cli tool you will need to change the pfx's permissions to be fully readable using chmod. – Michael McDowell Mar 24 '21 at 12:15
  • I'll try it and see if it works, it might be useful. Although from what I've read since I put the post, if you are not going to expose Kestrel directly, but you are going to manage the requests with an apache/nginx (or similar), they recommend redirecting it in http inside the Linux server since it is faster. – sanmolhec Mar 29 '21 at 08:13

1 Answers1

1

I use .net6 and reccomend you to try this :

"Kestrel": {
    "EndPoints": {
      "Https": {
        "Url": "https://domain:port",
        "Certificate": {
          "Path": "path_to.pfx",
          "Password": "password"
        }

      }
    }
  }

And in your Program.cs file enter this:

public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                #if RELEASE                 
                    webBuilder.UseKestrel();
                #endif
                    webBuilder.UseStartup<Startup>();
                });

It will help you! Also useful links:

https://learn.microsoft.com/en-us/answers/questions/613333/loading-certificatepfx-with-password-in-linux-does.html

https://learn.microsoft.com/ru-ru/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-6.0

Pavlo Somko
  • 13
  • 2
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/32651368) – qnku Sep 09 '22 at 14:36