Problems running/configure self hosted console application (ASP.net core 2.1, Kestrel) with public certificate on a windows webserver
Fre*_*ger 4 https certificate asp.net-core-mvc kestrel-http-server asp.net-core-2.1
I have developed various webservices in the past (VB ASP.net web-api applications) with https for production. I have done the development with http and then setup https on the production servers. To setup a port on the production server for https and the certificate, I have:
- Imported a public certificate in the certificate store on the windows server configured a specific port for https with netsh. E.g:
netsh http add urlacl url=https://+:22224/ user=everyone
- bound the certificate (over the thumbprint) to the port. E.g:
netsh http add sslcert ipport=0.0.0.0:22224 certhash=31cf73308a768100d4d32fe6e77638593e68ab57 appid={a33a711f-c587-44e5-96bc-dca8a7f3fc3c}
- Setup the application to listen to the specific port, whereby I have read the url from a config file at startup - e.g. https://IP:Port and applied it to (vb.net) HttpSelfHostConfiguration()
This works without problems and I am able to configure the applications as I need it (e.g. configure a port in the config file for http for doing tests on a intranet server, configure another port in the config file for the production environment with https).
Now, I want to do the same with an asp.net core 2.1.6 application and it seems not to work the same way.
Public certificate (comodo) is installed in the certificate store of the windows web server.
Port 22224 is configured with netsh for https.
The certificate is bound to the port with netsh (certificate is showed correct with netsh http show sslcert ipport=0.0.0.0:22224
In Program.cs, I add the port to listen with UseUrls:
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>() //;
.UseUrls(GV.cURL, "http://localhost:5000");
}
whereby GV.curl contains https://IP:22224 at runtime
The application run’s fine (over the Internet), if I configure it to a http-port (e.g. http://IP:22222).
If I set the (configured) https port (https://IP:22224), the application don’t start and give out the error message:
Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
The information’s, I found on the web are confusing and it seems as this theme is a “moving target” (often changes in the base handling of asp.net core x-x).
My findings for now:
The snipped “No server certificate was specified” in the error message indicates, that the certificate has to be configured in the application?
I have found an example to specify a certificate in CreateWebHostBuilder with .useKestrel options:
.UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5000);
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("certificate.pfx", "topsecret");
});
Note: In my case, I would have to change 5001 to 22224.
Questions:
Do I really have to configure the (already to the port bound) public certificate also in the asp.net core 2.1 application?
If yes, what is the best way to do this (is the example above a good way)?
经过大量的尝试和错误,我找到了对我有用的相关信息。
注意:我现在使用ASP.net core 2.1.6(如果您使用旧版本,这可能不适合您...
你不需要用netsh做任何配置,但是你必须配置cert(包括密码)。
您还不需要更改 program.cs...
配置可以完全在appsettings.json(包含在项目根目录中)中完成
所以...在项目中(在我的机器上调试),我使用默认的 appsettings .json(带 http):
{
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
}
在内部网服务器上,我用另一个appsettings.json(仍与HTTP):
{
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
,
"Kestrel": {
"EndPoints": {
"Http1": { "Url": "http://localhost:5000" },
"Http2": { "Url": "http://172.16.1.120:22222" }
}
}
}
这样,应用程序可以通过内网服务器的 IP 地址在 LAN 中进行测试,也可以直接在内网服务器(本地主机端口 5000)上进行测试。
在Internet服务器上,我使用另一个 appsettings.json(对于带有 http 的 localhost,对于带有 https 和certficate的服务器 IP):
{
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
,
"Kestrel": {
"EndPoints": {
"Http": {
"Url": "http://localhost:5000"
},
"HttpsInlineCertFile": {
"Url": "https://192.168.3.3:22224",
"Certificate": {
"Path": "./certificate.pfx",
"Password": "NotReally",
"AllowInvalid": "true"
}
}
}
}
}
这样,应用程序可以直接在 Intranet 服务器上使用 http 进行测试,并通过 Internet 使用 https 和 cert 进行测试。
处理:
- 在服务器上,我有一个应用程序的根目录。
- 直接在根目录下,我存储了“每台机器”不同文件的副本(包括 appsettings.json)
- 为了发布新版本,我在我的开发机器上发布,然后将 \publish\ 目录复制到服务器(在根目录下)并覆盖存储的文件。
- 为了获得正确的配置,我创建了一个简单的.cmd,它从我在全新发布后运行的子目录 \publish\ 中的根目录复制(特定于服务器的)配置文件...
https 和证书的注意事项:
- 证书必须存储在\publish\ 文件夹中。
- 由于(我的)公共 contoso 证书确实保护了一些域,因此 https 只能正常工作,如果应用程序通过域调用(否则,会显示“不安全”消息)。
- 为了能够使用 https 测试应用程序,我在 Windows 和“真实”防火墙上打开了端口 22224。
- DNS 指向我们互联网服务器的公共 IP。
为了测试,我使用https://www.Domain.xx:22224调用应用程序
而且......它有效......
我正在为我的 ASP.Net Core App v2.2 使用 Dockerized 部署,并使用以下指南使其工作(这应该从 2017 年 1 月 v2.1 开始工作):
这个 Stackoverflow 问题: 为 HTTPS 配置 ASP.NET Core 2.0 Kestrel
这是一篇有用的文章,它介绍了证书创建、在不同机器上信任它并配置 .Net 项目 (v2.0)。
我基本上做的是:
- 将证书(在本例中用于本地主机开发)存储在证书文件夹中:
- appsettings.json:
"Kestrel": {
"applicationUrl": "https://localhost:5051;http://localhost:5050",
"Certificates": {
"Default": {
"Path": "certificates/localhost.pfx",
"Password": "MySecret",
"AllowInvalid": "true"
}
}
}
- 设置应用程序 URL
- 通过launchsettings.json(仅限本地开发)
"kamapp-backend": {
"commandName": "Project",
"launchBrowser": true,
"applicationUrl": "https://localhost:5051;http://localhost:5050",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
通过环境
ASPNETCORE_URLS="http://+:5050;https://+:5051",例如。ASPNETCORE_URLS="http://+:5050;https://+:5051" dotnet run- 您不必编写任何设置,只需使用配置文件即可。
强制使用 HTTPS:
app.UseHsts();在您的 Startup.cs 中
它似乎也可以在没有 的情况下工作"AllowInvalid": "true",但我还不明白为什么。也许有人可以回答。
| 归档时间: |
|
| 查看次数: |
10720 次 |
| 最近记录: |