I am currently working through upgrading a C#/.NET app from .NET 6.0 to .NET 8.0 on a Linux virtual machine (I'm working on a PC), and I am having some issues with getting HTTPS endpoints to work. I stumbled across this article while looking for solutions, but I'm not 100% sure that is actually the issue, and if it is I'm not sure how to fix it :). I am retrieving a X509Certificate2 crt/key pair from the local file system and using that to create a IHostBuilder object that uses HTTPS. Below is the current code I'm working with:
var certContents = File.ReadAllText(<local filepath>);
var certKeyContents = File.ReadAllText(<local key filepath>);
var cert = X509Certificate2.CreateFromPem(certContents, certKeyContents);
return Host.CreateDefaultBuilder(args)
.UseServiceProviderFactory(new AutofacServiceProviderFactory())
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder
.UseContentRoot(Directory.GetCurrentDirectory())
.UseKestrel(options =>
{
options.AddServerHeader = false;
options.Listen(IPAddress.Any, port, ops =>
{
ops.UseHttps(cert);
});
}
})
.UseStartup<Startup>();
})
.ConfigureLogging(logging =>
{
})
.UseNLog();
The result of this is generally an error page that just shows "This site can’t provide a secure connection". I have primarily been using Google Chrome v122.0 and Postman v9.31 to test these calls. I have set breakpoints in code and it seems like I'm not even able to get to the backend with these errors since those breakpoints are never hit. Interestingly, I did find that I can get a little bit farther when I use FireFox (as in, it seems to be able to get access to the backend); it does not throw SSL errors, but will instead attempt to access our app's Keycloak instance (not locally hosted) to verify our SSO token and throws a IDX20803 error. Below is further exception code from that:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '<Keycloak URL>'.
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
I have also noticed some IDX20803 errors that more follow this pattern. This code works just fine in .NET 6, but I must be missing something in the updated .NET versions - any guidance is appreciated!
What I've already tried
options.Listen() callback, attempted to add the below code block.
opt.AllowAnyClientCertificate();
opt.ClientCertificateValidation = (certif, chain, policyErrors) => true;
opt.ClientCertificateMode = Microsoft.AspNetCore.Server.Kestrel.Https.ClientCertificateMode.AllowCertificate;
opt.ServerCertificate = cert;
opt.SslProtocols = System.Security.Authentication.SslProtocols.Tls12
| System.Security.Authentication.SslProtocols.Ssl3
| System.Security.Authentication.SslProtocols.Tls
| System.Security.Authentication.SslProtocols.None
| System.Security.Authentication.SslProtocols.Tls11
| System.Security.Authentication.SslProtocols.Tls13
| System.Security.Authentication.SslProtocols.Default;
In the options.Listen() callback, tried removing the ops.UseHttps(cert) call
In the beginning of my Program.cs and Startup.cs files, attempted adding this line: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.SystemDefault | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Tls13;
In the Configure method of the Startup.cs file, add app.UseHttpsRedirection();
Might be related to this: https://github.com/dotnet/aspnetcore/issues/54366
See if this helps:
options =>
{
options.Listen(System.Net.IPAddress.Loopback, your-port, httpnOptions =>
{
httpOptions.UseHttps(new HttpsConnectionAdapterOptions { SslProtocols = SslProtocols.Tls12 });
}
}))
if it helps, there's an issue with TLS 1.3 . Looks like they might put a patch out in May.