-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kestrel does not listen for https when run as a service on Ubuntu #4724
Comments
@Praveen-Rai Thanks for contacting us. When you run the tool on the CLI you are using your current user. When you run it as a service the user is www-data. For it to work you will need to run the dotnet-devcerts tool as the www-data user. Alternatively you can generate an ssl cert and configure kestrel to use it. I think that is a better option if you are running the app as a service. Hope this helps. |
@Tratcher @javiercn Thanks a lot for your prompt reply !!
Any hints on how to do that ?
Thanks, i will try this. |
@Praveen-Rai I'm not an expert in Linux, but I believe |
@javiercn Though i am not sure about the dotnet-devcerts, but i will surely try adding the SSL certificate to Kestrel configuration. For your information i am also looking forward to get the docs Hosting Docs updated for the same. |
@Praveen-Rai I'm the main developer on it. dotnet dev-certs will setup the developer certificate in the current user store and that's what kestrel loads. Hope this helps. |
Yes, i ran the service as the root user and it listens on both the ports. Though it would be a bad idea to run a service using root privileges, Right ?
I tried configuring Kestrel to use the certificate using appsettings.json. Though the app started listening on ssl port ( 5001 ), but it didn't work. wget says
appsettings.json I suspect that the above configuration is expecting *.pfx and not *.crt. But then i am wondering how does the application works with root user access for the same certificate. Any hints ? References : Notes :
|
@javiercn , @Tratcher
And when the application is run as service as 'www-data', i get a warning : Could this be the cause of issue ?? |
Nope. That's normal. |
To update, i've added www-data to ssl-cert group. Granted read and execute permissions on the private key directory to the ssl-cert group. Still i am facing the issue. |
@Praveen-Rai Trusting the certificate is only available on Windows and Mac OS. There is no standard way of trusting the certificate on Linux. You need to have the certificate along with the private key in a pxf format. @Tratcher we should throw an error if the certificate doesn’t have an associated private key. You should run the tool as the www-data user, not as root. I believe you can do that with sido or su on Ubuntu, but check your rostro documentation. Finally, running any kind of service with the development certificate in production is not supported and completely discouraged. @danroth27 regarding docs for HTTPS can you loop in the right folks? Hope this helps |
Do you mean to say that this issue is due to trusting of certificate ? I have a doubt then, how does it work with Root user ? Doesn't the certificate trust apply machine wide ?
Now i don't feel that's the matter, coz the application is working with root privileges without the *.pxf format.
The service ( AspNetCore App ) is ran as 'www-data', though i couldn't directly run the dotnet command as 'www-data' ( doing a bit of search, i feel that's as designed ). And that's where the problem is.
I agree, i am using this certificate for development only.
My upvote for that. We've been always restricted to MS OS concepts with .Net, but with .Net core we are introduced to MacOs & Linux and it's distributions. So, may be it would be safer to log warnings & errors more sensitively than we used to do before with .Net. |
Finally i figured out the issue. The issue is that a developer ssl certificate is installed with dotnet SDK with the name localhost. In case of Ubuntu the certificate is located at /home/{user name} /.dotnet/corefx/cryptography/x509stores/my I believe Kestrel just searches in the home directory of executing user, which does not exists for 'www-data', hence it couldn't locate the development certificate. Due to which it doesn't bind to default https port. Here are the key points ( please provide your comments ) :
|
No. ASP.NET uses the current user personal certificate store which was made to work cross-platform. We don't have any plans to do anything else as there is no standard way of achieving this on linux systems and we just simply rely on .NET functionality.
No. The main purpose of the dev-certs tool is to support the development of APIs and Websites in the most common development environments and scenarios. Doing development of your app by running it as a service is not something that we consider a core development scenario (compared to for example, doing dotnet run). You can still develop using HTTPS by manually loading a certificate in pfx format using configuration.
I don't think so. That will produce a jarring experience during regular development.
I'll leave this up to @Tratcher to answer.
If this is the case @danroth27 can you get the doc writers involved here?
I have no idea about this. @Tratcher or @danroth27 can comment.
We support what .NET Core supports. You can probably file an issue on https://github.com/dotnet/corefx and they can probably tell you whether its supported or what the plans are if any. Hope this helps. |
The kestrel endpoint configuration is documented here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1#how-to-use-kestrel-in-aspnet-core-apps. It's a bit buried in the section, which we plan to fix: dotnet/AspNetCore.Docs#8496. |
@javiercn I think you're missing a couple of key points here :
Hope that addresses your concerns. |
Configuring logging is documented here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-2.1#configuration. @Praveen-Rai Could you please take a look at these docs and then file issues in the https://github.com/aspnet/Docs repo for any content that you think is missing? |
@danroth27 Sorry, i meant configuration using files. Because, you wouldn't want to hard-code the endpoint settings, SSL certificate path .. etc into your code. I just realized today, that the configuration settings in the code can be directly mapped into the configuration file. Reference Configuration and Options Still what i suggest is to have a document of the kind you've written in your blog |
The kestrel config file support is doc'd here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1#endpoint-configuration |
Yes, i've visited this page before, but i didn't find a Kestrel configuration sections on the docs. So, i thought why not to have a module of Configuration Using File, which will include individual topics for Kestrel, Logging and anything else that we allow configuring using config file.
Sure, i will. I just wanted to get all this clarified before i can approach docs team to act on it. I already tried tagging @guardrex, @scottaddie & @shirhatti on this issue, but i couldn't. |
Let's + @tdykstra ... Tom just said he was starting work on the Logging topic. [EDIT] I've also placed the Kestrel topic update issue on Sprint 142 (next) for a quick resolution. |
Thanks @Praveen-Rai ... I'll be sure to review this and do that (+ anything else actionable here) on the update. I'll be out for a week starting Sept. 26. I should be able to get to this as soon as I get back. |
@guardrex For sure .. Meanwhile i'll try to consolidate everything and get it ready for you. Also i request you to please follow this discussion and also any discussion on Docs repository related to Linux and SSL. Thanks. |
@danroth27 @Tratcher So, i understand that there's already a some documentation regarding the configuration and we already have plans to upgrade it. Hence, for now we can skip the discussion on documentation and focus on the other issues, which are :
@javiercn Your opinion please. |
@Praveen-Rai As I believe @javiercn mentioned, we don't directly manage or control the location of the SSL certificates. We rely on the .NET certificate store APIs to manage all of that. If you think the certificate store APIs are using the wrong locations for the local machine or current user certificate stores on specific Linux distributions then you would need to raise that on the https://github.com/dotnet/corefx repo. |
@danroth27 , @javiercn
Regarding the dotnet command, with the configuration file defining the log level to 'Debug' and using [-d|--diagnostics] as well as [-v|--verbosity], it still doesn't generate a Debug level log, Unless it is run from the application directory. Can you please check on this ? |
@javiercn , @danroth27 Please consider this a gentle reminder. |
I'm not familiar with the area. I'll let @danroth27 and @Tratcher chip in. |
@danroth27 , @Tratcher Any updates on the Kestrel error logging for End-Point configuration issues ? |
Please I'm new to linux. I deployed a web api core/angular app to apache 2.4 ubuntu 18.04. I’m using apache as a proxy for kestrel. I installed a let's encrypt SSL certificate for my domain. When I try to run the following service: [Unit] I get the following error message: System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found. I tried to follow the advice in the error message and run dotnet dev-certs https without luck. I’m new to linux. Can anybody give me a clue about what’s wrong with my setup ? |
@babli514 I've posted an answer on Stack-Overflow, that might help you. Follow this link If you've not already done it, you need to configure Apache to use SSL. Refer this article. |
@Praveen-Rai, I've been struggling with this issue for two days. Thank you so much for your Stack-Overflow solution. I'll be trying it this afternoon. @javiercn - I'm a little lost in the haze of others coming in and out of the discussion, so I'm not sure if you are the best contact for this, but I think it's worth pointing out that using a service to launch the app is outlined in the MS Doc: Host ASP.NET Core on Linux with Nginx. This seems like a great place to either add the points @Praveen-Rai has raised or just to remove entirely. |
Is there any limitation for .pfx file we use in Kestrel?
I'm running asp.net core 3.1 on Centos8 |
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue. This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue! |
I am trying to host an ASP.Net Core MVC application (https redirection is enabled) on Ubuntu server, using Nginx as a reverse proxy. I have created and installed a local SSL certificate using OpenSSL. When i run my application using dotnet CLI it listens on both http://localhost:5000 & https://localhost:5001, and i am able to access it on web using https (http requests are being redirect to https by Nginx).
The problem is when i try to run the as a service, it only listens on http://localhost:5000.
Here's the *.service file :
Environment details : ASP.Net Core 2.1.1, ASP.Net Core SDK 2.1.3, Nginx 1.14, Ubuntu 16.04
The text was updated successfully, but these errors were encountered: