Login/Register
.net core Kestrel server SSL issue
Asked Answered
.netsslwindows-10-iot-corekestrel
O

0

2

I am having a few problems implementing a basic SSL server using Kestrel on .Net Core.

My aim is to eventually create my own Alexa skill end point, which I already have a basic version running on flask on a raspberry pi. But I'm a .net person and really want to leverage what I know and can understand better in .net core on Windows IOT on a Raspberry Pi 3.

I followed some very vague tutorials on how to implement an SSL server using Kestrel which I can get up and running except for one issue. The only SSL certificates that appear to work are windows generated PFX certificates created using powershell.

This isn't a problem until I try to upload my certificate to Alexa Developer Console in my Skill endpoint, it does not accept PFX.

So I switched to openssl and created a certificate which my code appears to accept and run and also I am able to upload the .cer file into Alexa Skills fine.

The problem is when anything attempts to connect to the server I get the following exception:

Hosting environment: Production
Content root path: C:\Users\stewj\OneDrive\Documents\Visual Studio 2017 Projects\ConsoleApp1\ConsoleApp1\bin\Debug\netcoreapp2.0
Now listening on: http://0.0.0.0:8000
Now listening on: https://0.0.0.0:8001
Application started. Press Ctrl+C to shut down.

fail: Microsoft.AspNetCore.Server.Kestrel[0]
  Uncaught exception from the OnConnectionAsync method of an IConnectionAdapter.
System.ComponentModel.Win32Exception (0x80004005): The credentials supplied to the package were not recognized

or

"The server mode SSL must use a certificate with the associated private key."

Ideal situation would be to be able to create a PFX certificate that appears to work correctly (I can browse to the server and get no exceptions just warnings about non trusted CA as its self signed). and generate an equivalent .CER file from the PFX file that Alexa Skills accepts.

Unfortunately I am new to SSL and certificates and only have a basic understanding so I'm not exactly sure what the true underlying issue is.

Here is the server code just in case I am missing anything:

public class Program
{
    public static void Main(string[] args)
    {
        CreateWebHostBuilder(args).Build().Run();
    }

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>

        WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseKestrel(options =>
            {
                var cert = new X509Certificate2("cert-key-20180708-190801.p12", "likeiwouldpastethathere");
                options.Listen(IPAddress.Any, 8000);
                options.Listen(IPAddress.Any, 8001, listenOptions =>
                {
                    listenOptions.UseHttps(cert);
                });
            });
}

BTW I have also tried loading the certificate directly from .UseHttps with the same issue. Using the x509Certificate2 was a thought maybe it was the correct way, but still no joy.

App runs fine only get the exception when I access the server from either Alexa or a browser. No exceptions if I use a PFX windows generated certificate just can't access from Alexa!

Orabelle answered 8/7, 2018 at 19:30 Comment(6)
Then your task now is to learn SSL/TLS. OpenSSL again can be used to test if your ASP.NET Core server runs correctly, feistyduck.com/library/openssl-cookbook/online/… and then you can move on to Alexa side. However, a certificate generated by PowerShell is self-signed (you don't mention the command you used, so the whole world can only guess), where it cannot be trusted (that can cause many issues). Also you don't mention how you generated the .p12 file, so whether you have the private embedded is also unknown.Vachel
@LexLi Thanks for the reply. I agree I do need to learn more about SSL/TLS. OpenSSL cannot check my server as the server causes an exception due to not liking OpenSSL certificates I have generated. The power shell command was following a tutorial for Kestrel asp.net using powershell which seemed to be the only working way to generate a working certificate, but using your advice I have looked more into SSL and OpenSSL and will post back my findings as I try a new approach.Orabelle
Can you show openssl output for “OpenSSL cannot check my server as the server causes an exception due to not liking OpenSSL certificates I have generated”? It might be just a step away from the actual cause. "The power shell command was following a tutorial for Kestrel asp.net using powershell" is not the "only working way". There are much more valid ways to prepare a server certificate.Vachel
I agree its NOT the only working way. Its the only way I could find at the time of writing after scouring Google. After your reply it helped think a little differently. Alexa didn't like the powershell self signed certificate , unfortunately didn't give a reason. So I reverse thought can I create a PFX file from my certificate and key file from OpenSSL that I know Alexa likes. Low and behold OpenSSL does support pfx creation and the answer was right here on stackoverflow. link.Orabelle
My problem stemmed from using a GUI front end to OpenSSL instead of learning the command line usage, thanks for giving me a different direction to think.Orabelle
So, what ended up working?Sublapsarianism

© 2022 - 2024 — McMap. All rights reserved.