-
-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration of client certificate options #100
Comments
@carey-bishop I couldn't find a way to fix this without requiring new API and you to add additional configuration to your code. I've opened a PR to implement the second option you described, #109. Usage would look like this: LettuceEncrypt/samples/Web/Program.cs Lines 26 to 34 in 383fab7
Would appreciate feedback. At the same time, it might be nice to ask the aspnetcore team to make this easier to do with dependency injection. If that becomes an option in .NET 5 or later, we could update this library to take advantage of that. |
Like making HttpsDefaults into a list of callbacks so you could call ConfigureHttpsDefaults multiple times for cumulative effect? |
That, or |
PR auto-closed. Re-opening until this is released with 1.1.0. Still open to feedback. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Thanks @natemcmaster, the new API seems to work well. As you mention, use of the |
I'm going to release 1.1.0 today. Thanks for your patience with this project. |
Is your feature request related to a problem? Please describe.
Kestrel does not seem to provide a configuration file-based approach for setting the defaults for HTTPS endpoints. As such, the recommended approach is to call ConfigureKestrel then ConfigureHttpsDefaults to enable client certificate support. However, this seems to override the KestrelOptionsSetup class that is registered by LettuceEncrypt. As such, automatic certificate selection and TLS ALPN challenges are not supported when client certificates are enabled.
There does not appear to be a way to chain multiple calls to
ConfigureHttpsDefaults
, as it's stored in a single HttpsDefaults property onKestrelServerOptions
. Only the lastAction
provided toConfigureHttpsDefaults
will be used, the others are silently ignored.There is also no way to manually invoke the LettuceEncrypt options afterwards, as the three classes involved are internal (
KestrelOptionsSetup
,TlsAlpnChallengeResponder
&CertificateSelector
),Describe the solution you'd like
Possible solutions include:
Action
or class to be called fromKestrelOptionsSetup
after LettuceEncrypt has configured its own settings, eg:HttpsConnectionAdapterOptions
that can manually be called to configure LettuceEncrypt if ConfigureHttpsDefaults needs to be invoked from the calling application, eg:Describe alternatives you've considered
We can use code to enable client certificates then manually specify the SSL server certificate to use in appsettings.json. This does not invoke
KestrelOptionsSetup
, so does not support TLS ALPN challenges, and requires a lot of configuration (eg: domain names need to be listed in multiple places in the JSON file for both Kestrel & LettuceEncrypt to use).IConfigureOptions<T>
is not used forHttpsConnectionAdapterOptions
by Kestrel, which prevents that pattern from being used to register multiple providers to configure those options. However, I've created a hacky workaround by registering a class that implementsIConfigureOptions<KestrelServerOptions>
. It uses reflection to get the previous value of theHttpsDefaults
private property onKestrelServerOptions
so that we can callConfigureHttpsDefaults
, invoke the previous callback then set the new properties that we want. However, this is a fragile workaround as it is dependent on private APIs.The text was updated successfully, but these errors were encountered: