Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial app start certificate error #293

Open
adambajguz opened this issue Jan 20, 2024 · 4 comments
Open

Initial app start certificate error #293

adambajguz opened this issue Jan 20, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@adambajguz
Copy link

Describe the bug
Hello, when the application starts for the first time e.g. in Docker, and there's no certificate to fallback I receive this error:

System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(ListenOptions[] listenOptions, AddressBindContext context, Func`2 useHttps, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)
   at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at PackSite.Library.Logging.BootstrappedHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)

To Reproduce
Steps to reproduce the behavior:

  1. Run https://github.com/natemcmaster/LettuceEncrypt/tree/main/samples/Web in an environemnt that doesn't have any fallback certificate (developer ceertificate).

Expected behavior
I'd expect that Kestrel will expose HTTP endpoing and not throw any exception until the certificate is generated by the library.
@adambajguz adambajguz added the bug Something isn't working label Jan 20, 2024
Viir added a commit to pine-vm/pine that referenced this issue Mar 22, 2024
@Viir
Add setting to disable HTTPS
6a484c7 
To avoid crashes due to race condition as described at <natemcmaster/LettuceEncrypt#293>
Viir added a commit to pine-vm/pine that referenced this issue Mar 23, 2024
@Viir
Work around problems with asynchronous SSL certificate arrival
4c83894 
Work around the problem with ASP.NET crashing because SSL certificates arrive ordered via LetsEncrypt arrive after starting the app.
A similar issue was discussed at <natemcmaster/LettuceEncrypt#293>
Also, update the LetsEncrypt library and Certes to integrate various  recent upstream improvements.
Viir added a commit to pine-vm/pine that referenced this issue Mar 23, 2024
@Viir
Work around problems with asynchronous SSL certificate arrival
3c82179 
Work around the problem with ASP.NET crashing because SSL certificates arrive ordered via LetsEncrypt arrive after starting the app: Disable HTTPS for a first start, if we find the certificate is not available. Later, if the HTTPS certificate has arrived, restart the ASP.NET host with the HTTPS URLS.
For discussion of this issue, see:

+ <ffMathy/FluffySpoon.AspNet.EncryptWeMust#151>
+ <natemcmaster/LettuceEncrypt#293>

Also, update the LetsEncrypt library and Certes to integrate various  recent upstream improvements.
Viir added a commit to pine-vm/pine that referenced this issue Mar 24, 2024
@Viir
Work around problems with asynchronous SSL certificate arrival
338f4fd 
Work around the problem with ASP.NET crashing because SSL certificates arrive ordered via LetsEncrypt arrive after starting the app: Disable HTTPS for a first start, if we find the certificate is not available. Later, if the HTTPS certificate has arrived, restart the ASP.NET host with the HTTPS URLS.
For discussion of this issue, see:

+ <ffMathy/FluffySpoon.AspNet.EncryptWeMust#151>
+ <natemcmaster/LettuceEncrypt#293>
+ <dotnet/aspnetcore#26258>
+ <dotnet/aspnetcore#45801>

Also, update the LetsEncrypt library and Certes to integrate various  recent upstream improvements.
Viir added a commit to Viir/FluffySpoon.AspNet.EncryptWeMust that referenced this issue Mar 24, 2024
@Viir
Enable consuming apps to check if certificate is already available
3b5d676 
To help apps avoid crashing on race conditions as described at <natemcmaster/LettuceEncrypt#293>
@adambajguz
Copy link
Author

@natemcmaster Any updates on this issue?

@bar10dr
Copy link

bar10dr commented Oct 9, 2024

Same problem

@bar10dr
Copy link

bar10dr commented Oct 9, 2024

I decided to RTFM and found out that the problem was between the computer and the chair.

builder.WebHost.ConfigureKestrel(serverOptions =>
{
 var appServices = serverOptions.ApplicationServices;
 serverOptions.ConfigureHttpsDefaults(h =>
 {
  h.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
  h.UseLettuceEncrypt(appServices);
 });
});

builder.Services
	.AddLettuceEncrypt()
	.PersistDataToDirectory(new DirectoryInfo("/mydirectory/"), "mypassword");

@adambajguz
Copy link
Author

I currently use a temporaary self-signed certficate created on the fly to make Kestrel start.

    hostBuilder
        .ConfigureAppConfiguration(static (builder) =>
            {           
                    // TODO: clear sources
  
                    SelfSignedCertificateHelper.TryInitializeAndGetPassword(
                        "My Application",
                        "initial-certificate.pfx",
                        "/https/certs/self-signed");

                    context.AddInMemoryCollection(new Dictionary<string, string?>
                    {
                        ["Certificates:Default:Path"] = "/https/certs/self-signed/initial-certificate.pfx",
                        ["Certificates:Default:KeyPath"] = "/https/certs/self-signed/initial-certificate.pfx.key",
                    });

                    // TODO: add default sources
            })
using System.IO;
    using System.Security.Cryptography;
    using System.Security.Cryptography.X509Certificates;

    /// <summary>
    /// Self signed certificate helper.
    /// </summary>
    public class SelfSignedCertificateHelper
    {
        /// <summary>
        /// Tries to initialize and get password.
        /// </summary>
        /// <param name="certificateName"></param>
        /// <param name="certificatePfxFileName"></param>
        /// <param name="store"></param>
        /// <returns></returns>
        public static string TryInitializeAndGetPassword(string certificateName, string certificatePfxFileName, string store)
        {
            return TryInitializeAndGetPassword(certificateName, certificatePfxFileName, Directory.CreateDirectory(store));
        }

        /// <summary>
        /// Tries to initialize and get password.
        /// </summary>
        /// <param name="certificateName"></param>
        /// <param name="certificatePfxFileName"></param>
        /// <param name="store"></param>
        /// <returns></returns>
        private static string TryInitializeAndGetPassword(string certificateName, string certificatePfxFileName, DirectoryInfo store)
        {
            ArgumentException.ThrowIfNullOrWhiteSpace(certificateName);
            ArgumentException.ThrowIfNullOrWhiteSpace(certificatePfxFileName);
            ArgumentNullException.ThrowIfNull(store);

            if (!certificatePfxFileName.EndsWith(".pfx"))
            {
                certificatePfxFileName = $"{certificatePfxFileName}.pfx";
            }

            FileInfo[] files = store.GetFiles();

            if (files.Any(x => x.Name == certificatePfxFileName) &&
                files.FirstOrDefault(x => x.Name == $"{certificatePfxFileName}.key") is { } passFileInfo)
            {
                string password = File.ReadAllText(passFileInfo.FullName);

                return password.Trim();
            }

            string newPassword = RandomNumberGenerator.GetHexString(48);

            X509Certificate2 certificate = GenerateSelfSignedCertificate(certificateName, newPassword);
            byte[] certData = certificate.Export(X509ContentType.Pfx, newPassword);

            File.WriteAllBytes($"{store.FullName}{Path.PathSeparator}{certificatePfxFileName}", certData);
            File.WriteAllText($"{store.FullName}{Path.PathSeparator}{certificatePfxFileName}.key", newPassword);

            return newPassword;
        }

        /// <summary>
        /// Generates a self signed certificate.
        /// </summary>
        /// <param name="certificateName"></param>
        /// <param name="password"></param>
        /// <returns></returns>
        public static X509Certificate2 GenerateSelfSignedCertificate(string certificateName, string password)
        {
            ArgumentException.ThrowIfNullOrWhiteSpace(certificateName);
            ArgumentException.ThrowIfNullOrWhiteSpace(password);

            SubjectAlternativeNameBuilder sanBuilder = new();
            sanBuilder.AddDnsName("subdomain.mydomain.com");
            sanBuilder.AddDnsName("subdomain2.mydomain.com");

            X500DistinguishedName distinguishedName = new($"CN={certificateName}");

            using (RSA rsa = RSA.Create(2048))
            {
                CertificateRequest request = new(
                    distinguishedName,
                    rsa,
                    HashAlgorithmName.SHA256,
                    RSASignaturePadding.Pkcs1);

                request.CertificateExtensions.Add(new X509KeyUsageExtension(
                    X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature,
                    false));

                request.CertificateExtensions.Add(
                   new X509EnhancedKeyUsageExtension([new Oid("1.3.6.1.5.5.7.3.1")], false));

                request.CertificateExtensions.Add(sanBuilder.Build());

                X509Certificate2 certificate = request.CreateSelfSigned(
                    new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
                    new DateTimeOffset(DateTime.UtcNow.AddYears(32)));

                if (OperatingSystem.IsWindows())
                {
                    certificate.FriendlyName = certificateName;
                }

                byte[] exportedCertificate = certificate.Export(X509ContentType.Pfx, password);

                return new X509Certificate2(
                    exportedCertificate,
                    password,
                    X509KeyStorageFlags.MachineKeySet);
            }
        }
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bar10dr @adambajguz