1. 技术文章
  2. deploy NET Core Linux HTTPS SSL

deploy NET Core Linux HTTPS SSL

半城伤御伤魂 提交于 2020-02-08 10:46:26

问题


We developed an api with NET Core 3.1

This api, is enabled to work securely, with https (redirection from http enabled) and with Cors enabled for certain domains and subdomains.

When we deploy the application on our test server with IIS it works without problems (with a self-generated SSL certificate).

When we publish for Linux, and deploy on our test server (with a self-generated SSL certificate and within the same domain) is when we have problems.

Update post question:

The kestrel server on Linux does not load results in https.

We need kestrel running on https.

The test calls is made from the browser of the linux server (test-linux) that has deployed the application, directly to localhost.

We have a test driver that only returns a single string to prove that the api is working properly, in http (http://localhost:5009/test) it goes perfectly while for https (https://localhost:5010/test) it does not and its answer is this:

Secure Connection Failed

An error occurred during a connection to localhost:5010. PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

The api asppsettings.config are as follows:

"AllowedHosts": "*.mydomain.es;*.mydomain-eu.com;test-win;test-linux;localhost;127.0.0.1;*.myActiveDirectoryDomain.ad",
"Kestrel": {
"Endpoints": {
  "Http": {
    "Url": "http://localhost:5009"
  }
  ,"Https": {
    "Url": "https://localhost:5010", // we also tried: "https://localhost:5010"
    "Certificate": {
      "Path": "/etc/apache2/ssl/apache.crt",
      "Password": "/etc/apache2/ssl/apache.key",
      "AllowInvalid": true
    }
  }
}

Does anyone know why Kestrel doesn't work on https?

Thank you very much. Cheers.

Update 2 post question:

We're still investigating this. We think the problem is with the type of self-signed certificate or the way it is loaded. We are trying to load it from the appsettings.config as discussed in this article:

Kestrel config in .NET Core 3.1

The bug could be that Kestrel doesn't support self-signed *.crt certificates?

Any ideas? Thank's a lot

OLD description of the post -not specified-:

First, with redirection from http to https it doesn't work. If we disable the redirection => by http it does work but with https it does not.

Our linux is a ubuntu server 18.04 LTS (customer requirements) with aspnetcore-runtime-3.1, transport-https and apache2 installed, this with a2enmod modules: proxy proxy_http rewrite deflate headers proxy_connect proxy_html mod_proxy proxy_http ssl.

After a lot of testing we have left it as follows (applying server input redirection trick from https to kestrel by http):

Kestrel Service -->

[Unit]

Description=api units EU

[Service]

WorkingDirectory=/var/www/core/api/apieu

ExecStart=/usr/bin/dotnet /var/www/core/api/apieu/HHHHH.JJJJJJJJ.Api.UnitsEuApi.dll

Restart=always

RestartSec=10

SyslogIdentifier=apieu

User=www-data

Environment=ASPNETCORE_ENVIRONMENT=Production

[Install]

WantedBy=multi-user.target

appsettings.config -->

"AllowedHosts": "*.mydomain.es;*.mydomain-eu.com;test-win;test-linux;localhost;127.0.0.1;*.myActiveDirectoryDomain.ad",
"Kestrel": {
"Endpoints": {
  "Http": {
    "Url": "http://localhost:5009"
  }
  ,"Https": {
    "Url": "https://localhost:5010", // we also tried: "https://localhost:5010"
    "Certificate": {
      "Path": "/etc/apache2/ssl/apache.crt",
      "Password": "/etc/apache2/ssl/apache.key",
      "AllowInvalid": true
    }
  }
}

}

Apache2 config (/etc/apache2/sites-available file 000-default.conf) -->

<VirtualHost *:80>

     ProxyPreserveHost On 
     ProxyRequests Off

    ServerName test-linux

    ProxyPass /europe/ http://127.0.0.1:5009/  # work properly
     ProxyPassReverse /europe/ http://127.0.0.1:5009/ 

     ProxyPass /eubk/ http://127.0.0.1:5000/ # work properly
     ProxyPassReverse /eubk/ http://127.0.0.1:5000/ 

    ProxyPass /spain/ http://127.0.0.1:5006/  # work properly
     ProxyPassReverse /spain/ http://127.0.0.1:5006/ 


     ErrorLog ${APACHE_LOG_DIR}logtodo-error.log 
     CustomLog ${APACHE_LOG_DIR}logtodo-access.log common 
 </VirtualHost>

Apache2 config (/etc/apache2/sites-available file default-ssl.conf) -->

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    ServerAdmin support@spain.es

    ServerName test-linux

    ##DocumentRoot /var/www/html

    ProxyPreserveHost On 
    ProxyRequests Off


    ProxyPass /europe/ http://127.0.0.1:5009/   # work properly "trick"
    ProxyPassReverse /europe/ http://127.0.0.1:5009/ 

    ErrorLog ${APACHE_LOG_DIR}logtodo-error.log 
    CustomLog ${APACHE_LOG_DIR}logtodo-access.log common 

    SSLEngine on
    SSLProxyEngine on

    SSLCertificateFile    /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    <FilesMatch ".(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

</VirtualHost>

and it works by entering both http and https locally and from outside the server, but if we don't do that "trick" it doesn't work.

Apache2 config (/etc/apache2/sites-available file default-ssl.conf) NOT WORK -->

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    ServerAdmin support@spain.es

    ServerName test-linux

    ##DocumentRoot /var/www/html

    ProxyPreserveHost On 
    ProxyRequests Off


    ProxyPass /europe/ https://127.0.0.1:5010/   # NOT work properly # (we tried too with localhost)
    ProxyPassReverse /europe/ https://127.0.0.1:5010/  # (we tried too with localhost)

    ErrorLog ${APACHE_LOG_DIR}logtodo-error.log 
    CustomLog ${APACHE_LOG_DIR}logtodo-access.log common 

    SSLEngine on

    SSLCertificateFile    /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    <FilesMatch ".(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

</VirtualHost>

Error:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at support@spain.es to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log. Apache/2.4.29 (Ubuntu) Server at test-linux Port 443

We haven't been able to get the kestrel to work directly over https (either on localhost, 127.0.0.1 or from outside)

We've read all the stackoverflow documentation/blogs/post and others we've found...

What are we doing wrong? Ideas?

It seems like we're not getting the Kestrel setup right, how do we do that? Could it be that Kestrel doesn't support self-signed .crt certificates?

Thank you very much. Cheers.

来源:https://stackoverflow.com/questions/60003781/deploy-net-core-linux-https-ssl

标签
Linux
apache
ssl
asp.net-core
https
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!