ASPNETCORE_ENVIRONMENT and HTTPS? #19359
Comments
dotnet-bot
added
⌚ Not Triaged
Source - Docs.ms
|
Hello @plettb ... I'll strike my remark here after looking at the Docker article in the next comment. It doesn't address using a non-"Development" environment. |
|
Did you see this one? 👉 https://github.com/dotnet/dotnet-docker/blob/master/samples/run-aspnetcore-https-development.md That looks like that guidance will help with the Docker HTTPS scenarios (I'm not a Docker Rex. 😄). I'll close since we have the coverage and that Docker doc ☝️ is cross-linked. For additional support, we recommend the usual support channels ... |
|
@Rick-Anderson ... Need ur help on this one. The Docker doc doesn't clarify if Kestrel config is required when using a non-"Development" environment. That might be the case ... provide a normal |
|
@guardrex I very much appreciate your help and the links, but it seems to me that until whatever magic the "Development" environment is doing to get certs working is documented, the issue shouldn't be closed. :) P.S. The document you pointed me to looked very promising but I ended up having the same problems. Yes, this could be a DFU problem, but if it is I'd still like a little guidance and direction. ☺ |
|
I re-opened it for further discussion. I agree with you that it's not clear. They might want you to ...
... assuming port 8000 ... or change that to whatever port you'd be using. Did you try something along those lines? |
|
I'm just suggesting that if you place the cert config in your |
That's exactly what I tried. So, for example, I put the following into my "appsettings.Docker.json" file: With that I get a "Interop.Crypto.OpenSslCryptographicException", "Message=error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure". (Without that I get "System.InvalidOperationException", "Message=Unable to configure HTTPS endpoint. No server certificate was specified...") |
|
I saw that you made several attempts to pass the password via CLI. Did you try supplying it directly there just to rule out that CLI option being the problem? ... "Kestrel": {
"Certificates": {
"Default": {
"Path": "/root/.aspnet/https/IdentityServer.pfx",
"Password": "PASSWORD"
}
}
} |
|
Nevermind ... that JSON was hard to read. |
|
However ... did you also place the other node there ... "Kestrel": {
"Endpoints": {
"HttpsDefaultCert": {
"Url": "https://localhost:8000"
},
},
"Certificates": {
"Default": {
"Path": "/root/.aspnet/https/IdentityServer.pfx",
"Password": "PASSWORD"
}
}
} |
This is part of the magic that I've been referring to. When run with "Development", a certificate matching the name of the project (note: NOT matching what a developer might supply in the "ASPNETCORE_Kestrel__Certificates__Default__Path" setting in "docker-compose.override.yml") gets extracted automatically. I have no visibility into that extraction - it doesn't appear in any logs. I can only assume that if it gets extracted (created) automatically, there is no password. |
Another interesting thing to note: in Docker there is no "localhost". |
|
There's a little more info in ... https://docs.microsoft.com/visualstudio/containers/container-build#ssl-enabled-aspnet-core-apps ... which cross-links to ... https://docs.microsoft.com/aspnet/core/security/docker-https ... mmmm ... just a version of the earlier topic tho. Stand-by for one of the Docker-savvy cats to help resolve this. Rick will come on shortly ... or Scott ... or Kirk. cc: @serpent5 |
As I mentioned in my original post, this topic gets a lot of attention. However, the environment variable seems to be a unique twist that isn't covered by any of them.
Cool! |
|
I've tried various approaches to try and repro this, but it's all working as expected. I can't find anything in the source-code or from running a number of different experiments to suggest that the difference is only in the There is a difference between using the sdk Docker image vs the aspnet Docker image, in that No matter the
If I mistype the password when setting the environment variable shown above, I see Message=error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure. |
|
The 🙏 server gods 🙏 bless u for helping with this @serpent5. What might happen on this one @plettb is that if you can set up a step-by-step repro of the problem, then engineering would take an issue on this, walk your steps, and then advise further. Your opening comments here are close to what they would need, but I recommend step-by-step 1-2-3 laying it out, which will make it easy for them to follow exactly what you did. Rick will know the best way to proceed. |
|
The simplest possible app that reproduces the problem is what's needed. Then open an issue in https://github.com/dotnet/aspnetcore/issues |
|
I reproduced the problem on my computer. If I can give you a simple app that reproduces the problem, will you reopen the thread? |
Rick-Anderson
added
needs-more-info
and removed
Source - Docs.ms
|
Finally, I followed this article : https://codeburst.io/hosting-an-asp-net-core-app-on-docker-with-https-642cde4f04e8 Since there is a workaround, do you still need the sample to reproduce the problem to investiguate further? |
|
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core which hasn't been addressed, please file a new issue. |
I found the source and solution to this bug. https://docs.microsoft.com/en-us/dotnet/api/microsoft.extensions.hosting.host.createdefaultbuilder?view=dotnet-plat-ext-5.0 CreateDefaultBuilder() is hard coded to only load User Secrets if the Environment is set specifically to 'Development' and Kestrel is getting the pfx cert password from user secrets. Adding something along these lines solves the issue by getting UserSecrets loaded when the default builder stops loading it. |
I'm really not sure if this is an issue or a question. I've run into some strange behavior and would like to understand it better and, if possible, get it working the way I'd like/expect.
In our application we have a number of projects that require different settings when running on Docker. We've been handling this by using a "SlowCheetah - like" process to transform our "appsettings.json" file. I wish I knew the right name for this feature, but essentially we have "appsettings.json", "appsettings.Development.json", and "appsettings.Docker.json" files. Changing the "ASPNETCORE_ENVIRONMENT" variable in the "docker-compose.override.yml" works beautifully for this. So far, all's well.
HOWEVER, when I change the environment variable, HTTPS stops working! There is some kind of magic that VS and/or Docker are doing when the environment variable is set to "Development" that I don't understand. With "Development" I see the certs created upon first run, and used correctly. When I change the environment variable, the certs still get created, but they don't get used - Kestrel refuses to start: "Message=Unable to configure HTTPS endpoint. No server certificate was specified...". There are numerous articles on the Internet on how to fix this specific problem, but I've had no luck making any of them work unless my environment is set back to "Development". Among other things, I've tried a variety of settings for "ASPNETCORE_Kestrel__Certificates__Default__Password" and "ASPNETCORE_Kestrel__Certificates__Default__Path" with no success.
Obviously, I'd like to use BOTH the environment variable and HTTPS. Any help would be much appreciated.
Thanks!
Brad.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: