Configuration of client certificate options #100
Comments
natemcmaster
added
the
help wanted
natemcmaster
removed
the
help wanted
|
@carey-bishop I couldn't find a way to fix this without requiring new API and you to add additional configuration to your code. I've opened a PR to implement the second option you described, #109. Usage would look like this: LettuceEncrypt/samples/Web/Program.cs Lines 26 to 34 in 383fab7 Would appreciate feedback. At the same time, it might be nice to ask the aspnetcore team to make this easier to do with dependency injection. If that becomes an option in .NET 5 or later, we could update this library to take advantage of that. |
Like making HttpsDefaults into a list of callbacks so you could call ConfigureHttpsDefaults multiple times for cumulative effect? |
|
That, or |
|
PR auto-closed. Re-opening until this is released with 1.1.0. Still open to feedback. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Thanks @natemcmaster, the new API seems to work well. As you mention, use of the |
ghost
mentioned this issue
|
I'm going to release 1.1.0 today. Thanks for your patience with this project. |
Is your feature request related to a problem? Please describe.
Kestrel does not seem to provide a configuration file-based approach for setting the defaults for HTTPS endpoints. As such, the recommended approach is to call ConfigureKestrel then ConfigureHttpsDefaults to enable client certificate support. However, this seems to override the KestrelOptionsSetup class that is registered by LettuceEncrypt. As such, automatic certificate selection and TLS ALPN challenges are not supported when client certificates are enabled.
There does not appear to be a way to chain multiple calls to
ConfigureHttpsDefaults, as it's stored in a single HttpsDefaults property onKestrelServerOptions. Only the lastActionprovided toConfigureHttpsDefaultswill be used, the others are silently ignored.There is also no way to manually invoke the LettuceEncrypt options afterwards, as the three classes involved are internal (
KestrelOptionsSetup,TlsAlpnChallengeResponder&CertificateSelector),Describe the solution you'd like
Possible solutions include:
Actionor class to be called fromKestrelOptionsSetupafter LettuceEncrypt has configured its own settings, eg:HttpsConnectionAdapterOptionsthat can manually be called to configure LettuceEncrypt if ConfigureHttpsDefaults needs to be invoked from the calling application, eg:Describe alternatives you've considered
We can use code to enable client certificates then manually specify the SSL server certificate to use in appsettings.json. This does not invoke
KestrelOptionsSetup, so does not support TLS ALPN challenges, and requires a lot of configuration (eg: domain names need to be listed in multiple places in the JSON file for both Kestrel & LettuceEncrypt to use).IConfigureOptions<T>is not used forHttpsConnectionAdapterOptionsby Kestrel, which prevents that pattern from being used to register multiple providers to configure those options. However, I've created a hacky workaround by registering a class that implementsIConfigureOptions<KestrelServerOptions>. It uses reflection to get the previous value of theHttpsDefaultsprivate property onKestrelServerOptionsso that we can callConfigureHttpsDefaults, invoke the previous callback then set the new properties that we want. However, this is a fragile workaround as it is dependent on private APIs.The text was updated successfully, but these errors were encountered: