1

I wrote an ASP.NET Core 3.1 MVC web application. It's an front end calling a Web API back end.

The application works perfectly on development and Staging.

I can't make it work on Production: the Web API seems ok, I can call it from the browser or Postman.

But I can't reach it from my web app. This is the error from the log when it tries to make a call:

info: System.Net.Http.HttpClient.IApiClient.ClientHandler[100]
Sending HTTP request GET https://webapi.****.it/inetApi/api/links

fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]

An unhandled exception has occurred while executing the request.

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..

System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.

--- End of inner exception stack trace ---

Staging and Production are both Windows server 2019 machines with IIS10 web server.

Staging has a single website where both the Web API and the web app run as applications: 

Web-t.****.it/inetApi
Web-t.****.it/inetW

Production VM has two website, one is supposed to be for internal web apps and the other for APIs: 

webapi.****.it/inetApi
intranet.****.it/inetW

We made this VM from the scratch, it's new, there aren't any other application or websites on it.

I already tried to move the Web API application into the same website of the web app to see if that could be the problem, but it doesn't.

I tried to force the web app to use TLS as security protocol using this in my startup.cs:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

But it only change the error:

info: System.Net.Http.HttpClient.IApiClient.ClientHandler[100]
Sending HTTP request GET https://webapi.****.it/inetApi/api/links

fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]

An unhandled exception has occurred while executing the request.

System.Net.Http.HttpRequestException: An error occurred while sending the request.

System.Net.Http.WinHttpException (80072EFF, 12030): Error 12030 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 'The connection with the server was terminated abnormally'.

at System.Threading.Tasks.RendezvousAwaitable`1.GetResult()
at System.Net.Http.WinHttpHandler.StartRequestAsync(WinHttpRequestState state)
--- End of inner exception stack trace ---

So I tried to call the production Web API from the web app on staging or development, and it works.

Then I tried to use the web app on Production with the staging Web API... and it works too!

This is driving me nuts.

It's like everything in production is working individually, but not together.

I have grants to do everything I need on the VMs... but I'm a developer (and not very good at dealing with systems), and I can't ask much help to the sysadmins because they are overwhelmed in this period.

Any ideas?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Fabio Maccari
  • 57
  • 1
  • 2
  • 7

1 Answers1

2

According to the Transport security Best practice, as much as possible not to specify the SSL version during the establishment of SSL connection. Just let the OS decide on the SSL protocol version.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
There might be something wrong with the validation process of the SSL certificate installed on the server-side. As you know, SSL communication requires the trust relationship between the client-side and the server-side, therefore I would like to know how you specify the certificate for your WebAPI project. have you established the trust relationship between the client-side and the server-side? namely, install the service certificate on the client-side. As to explain how it works properly in the development and Staging environment, Http Get request doesn't represent something, please try an Http Post request.
Besides, the SSL protocol requires the DotNet framework/OS support, try to install a high version DotNet framework.
Feel free to let me know if you get something new afterward.

Abraham Qian
  • 7,117
  • 1
  • 8
  • 22
  • Both Staging and Production run the last ASP.NET Core Runtime (3.1.4). All the verbs on Staging (POST, PUT, ...) works ok. Both in staging and production the webapi and the web app runs on the same IIS instance as applications. In production they run on different websites (different bindings `Web-t.****.it/inetApi` and `Web-t.****.it/inetW`, same certificate). I neglected to tell something. Production uses a load balancer. I asked the sysadmin to deactivate it but he only turned off one server. So requests still pass through it. And I'm starting to think the problem may be in it... – Fabio Maccari May 27 '20 at 15:13
  • 1
    I think I found the problems. In part was a bad replication of enviromental variables by the shared config. But the main reason was a wrong if statement excluding useHsts when running in staging AND production on the webapi. I was so stubbornly looking for difference between the servers, I wasn't considering the problem could be "being" in production and not in staging. Production require HSTS. So I guess you pointed me in the right direction. Cheers – Fabio Maccari May 27 '20 at 19:35