Hosting a blazor web app without ssl certificate - ssl

I have made a web app using Blazor and now i want to host in my server with a free .ml domain. But service-worker.js not running without a secure connection. It is a free domain so i don't want to pay for a certificate.
Use SSL option in the project property is unchecked in all projects.
I couldn't find any information about this online.
Can i force to use http ?
Thanks
SSL Error

As far as I know, Service worker requires https except the localhost to work. Both the third-party certificate and the self-signed certificate is ok as long as we established the certificate trust relationship between the client-side and the server-side properly(for exchanging the public key of certificate).
https://developers.google.com/web/fundamentals/primers/service-workers/
For free SSL certificate,
https://geekflare.com/free-ssl-tls-certificate/
For self-signed certificate,
https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Here is an example of using a self-signed certificate.
Can you use a service worker with a self-signed certificate?
Feel free to let me know if there is anything I can help with.

To use HTTP in a Blazor app, in Program.cs remove UseHsts() and
UseHttpsRedirection() if present:
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for
production scenarios, see https://aka.ms/aspnetcore-hsts.
// app.UseHsts();
}
//app.UseHttpsRedirection();
In launchSettings.json make sure there is only an HTTP URL:
"profiles": {
"Dashboard": {
"commandName": "Project",
"dotnetRunMessages": true,
"launchBrowser": true,
"applicationUrl": "http://10.72.11.110:5238",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},

Related

Microsoft Identity Web generating http instead of https for redirect_url

I have an ASP.NET Core MVC app and I want to use Azure B2C authentication.
The redirect_url that's being generated has http instead of https like so:
&redirect_uri=**http**%3A%2F%2Fmyapp.com%2Fsignin-oidc
This should be https, and it's causing this error:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '9dbe40e0-7555-4ddf-9c17-b5218ed6ca89'.
My appsettings.json looks like this:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xxx",
"ClientId": "xxxx",
"TenantId": "xxxx",
"ClientSecret": "xxxx",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/"
}
and my code in Startup.cs is like so:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration, "AzureAdB2C");
For some reason this works fine on my dev machine with localhost (redirect_url=https) but on the server it's always http.
Any ideas? This has been driving me crazy all day
EDIT: RESOLVED! Turns out the issue was that I didn't have a HTTPS binding in IIS, only a HTTP binding... strange, since I was accessing the site via https://... - I guess somehow the IIS gave a certificate and allowed HTTPS even though I didn't have a binding for it
Thanks for the help guys!
Turns out that this was caused because I didn't have a HTTPS binding in IIS.
I was accessing the site via HTTPS, so not sure how IIS allowed that, but adding a HTTPS binding fixed the redirect_uri problem

Kestrel Fails TLS Handshake after Attempt to Download Intermediate Certificate Fails

Kestrel's web server is timing out, saying Connection Closed, after loading a publicly-signed SSL Certificate.
Background - we have a docker container that hosts a dotnet 3.1 webapi/react app, where the user can upload a custom SSL certificate. The PKCS#12 certificate is stored in our database and bound at startup using .ConfigureKestrel((context,options)) and options.ConfigureHttpsDefaults(listenOptions=>{listenOptions.ServerCertificate = certFromDatabase; }). This has been working flawless.
However, the problem now is that a user is attempting to run this app in a restrictive firewalled environment and is receiving HTTP connection closed errors when attempting to access Kestrel immediately after loading a new certificate and restarting the app.
Whenever Kestrel receives an incoming request, it begins attempting to download the intermediate certificate from the certificate's CA's public CDN repository via http on port 80. It appears to be using the URL from the Authority Information Access portion of the certificate. Since the firewall is blocking this, it retries repeatedly for about 20 seconds, during which time the client's TLS handshake sits waiting on a server response. When the server eventually fails to fetch the intermediate certificate, it cancels the TLS handshake and closes the connection.
I can't figure out why it's attempting to download this certificate, considering the same certificate is embedded in the PKCS#12 PFX bundle that is bound to Kestrel. Am I supposed to load either the root CA or intermediate into the CA trust folder in file system? (Ex. /usr/local/share/ca-certificates/ - I can't load the intermediate there, only the CA?)
public static IWebHost BuildFullWebHost(string[] args)
{
var webHostBuilder = GetBaseWebHostBuilder(args);
return webHostBuilder
.ConfigureAppConfiguration((context, builder) => { [...] })
.ConfigureLogging((hostingContext, logging) => { [...] })
.UseStartup<Startup>()
.ConfigureKestrel((context, options) =>
{
var sp = options.ApplicationServices;
using (var scope = sp.CreateScope())
{
var dbContext = scope.ServiceProvider.GetService<DbContext>();
var cert = Example.Services.HttpsCertificateService.GetHttpsCert(dbContext);
//this returns a new X509Certificate2(certificate.HttpsCertificate, certificate.Password);
options.ConfigureHttpsDefaults(listenOptions =>
{
listenOptions.ServerCertificate = cert;
listenOptions.CheckCertificateRevocation = false;
});
}
})
.Build();
}
Not a great solution, but upgrading to .NET 5.0 resolved the issue. It seems that in .NET 5.0, Kestrel attempts to fetch the certificate chain during initial application startup only (and fails). Subsequent incoming HTTP requests don't trigger the fetch process and requests are served as expected.

Let's Encrypt SSL ( sailsjs framework )

Is there any node modules for sailsjs framework to make ssl certificate using let's encrypt?
There is a middleware that enables http->https redirect and also handles the ACME-validation requests from Let's Encrypt. As far as I can tell, it does not actually trigger the renewal, nor writes anything, but I believe that the ACME-scripts handle that as cron-jobs every 3 months or so, allowing you app to just validate automatically when they run. I haven't implemented this myself yet though.
I would also ask you to really consider using CloudFlare or some other SSL-termination service, as that also gives you a lot of other benefits like DDoS protection, some CDN-features etc.
Docs:#sailshq/lifejacket
As has been mentioned, you should consider the best overall solution in terms of CloudFlare or SSL-offload via nginx etc.
However, you can use greenlock-express.js for this to achieve SSL with LetsEncrypt directly within the Sails node environment.
The example below:
Configures an HTTP express app using greenlock on port 80 that handles the
redirects to HTTPS and the LetsEncrypt business logic.
Uses the greenlock SSL configuration to configure the primary Sails app as HTTPS on port 443.
Sample configuration for config/local.js:
// returns an instance of greenlock.js with additional helper methods
var glx = require('greenlock-express').create({
server: 'https://acme-v02.api.letsencrypt.org/directory'
, version: 'draft-11' // Let's Encrypt v2 (ACME v2)
, telemetry: true
, servername: 'domainname.com'
, configDir: '/tmp/acme/'
, email: 'myemail#somewhere.com'
, agreeTos: true
, communityMember: true
, approveDomains: [ 'domainname.com', 'www.domainname.com' ]
, debug: true
});
// handles acme-challenge and redirects to https
require('http').createServer(glx.middleware(require('redirect-https')())).listen(80, function () {
console.log("Listening for ACME http-01 challenges on", this.address());
});
module.exports = {
port: 443,
ssl: true,
http: {
serverOptions: glx.httpsOptions,
},
};
Refer to the greenlock documentation for fine-tuning configuration detail, but the above gets an out-of-the-box LetsEncrypt working with Sails.
Note also, that you may wish to place this configuration in somewhere like config/env/production.js as appropriate.

Can't Start IIS Express: An error occurred attempting to determine the process id

When I try to start my ASP.Net Core 1.1 app, I'm receiving the following error:
An error occurred attempting to determine the process id of Blah.exe which is hosting your application. An error occurred while sending the request.
I changed the applicationUrl port number from 44300 to 44301 in `launchSettings.json' and I was able to get it to start.
{
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "https://localhost:44301/",
"sslPort": 44301
}
}
Why did changing the port # make it work? Where can I look to figure out why it wouldn't startup?
I ran TCPViewer and I don't see 44300 in use.
Uninstall and re-install of IIS Express fixed it.
Turns out port 44300 wasn't bound to my IIS Express cert. Bill Hiebert figured it out as documented in this developer community issue.
When I ran netsh http show sslcert, port 44300 wasn't listed. I uninstalled and re-installed IIS Express and now it is listed.
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:44300
Certificate Hash : somevalue
Application ID : {someid}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set

ASP.NET Core 2 - develop using custom domain names and ssl using IISExpress

I want to be able to develop locally using a custom domain and ssl rather than localhost.
How can I setup a custom domain + ssl in VS Solution instead of localhost?
Simple Setup - Using Server URLs
If you want to associate your server to use all the IP addresses assigned to the server/web host then you can do this:
var host = new WebHostBuilder()
.UseUrls("http://*:80", "http://localhost")
.UseKestrel()
.UseIISIntegration()
.Build();
Note: If you don't want all IP addresses, then you can change from http://* to a specific IP address such as http://111.111.111.111. Also, the port is not a requirement, but I have used it for completeness of the answer. It's also important to note that SSL won't work with UseUrls
There is a great amount of additional detail that you can find over at the official Microsoft Docs about Server URLs here.
Binding SSL Certifications (Kestrel Only) -- Endpoint Configuration
Please note that hosting over a public endpoint via Kestrel (even with SSL) is not recommended and you should use a reverse proxy like Nginx or IIS. You can read more about it from the official Microsoft Docs here.
You didn't mention if you were using Kestrel or not, but I will assume you are... In which case, you can configure an SSL certificate easily by binding sockets using the options.
Here is an example of using TCP sockets using the Listen method:
public static void Main(string[] args)
{
BuildWebHost(args).Run();
}
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5000);
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("testCert.pfx", "testPassword");
});
})
.UseIISIntegration() // <-- don't forget you will need this for IIS!
.Build();
Note: That if you use both the Listen method and UseUrls, the Listen endpoints override the UseUrls endpoints.
You can find more info here at the official Microsoft Docs.
Configuring IISExpress
Using the GUI
You can right-click the project and click [Properties].
Using launchSettings.json.
You have to configure this using the launchSettings.json which you can find here:
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:61471/",
"sslPort": 44360
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "https://localhost:44360",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
Configuring IIS Endpoints
If you use IIS, the URL bindings for IIS override any bindings that you set by calling either Listen or UseUrls. For more information, see Introduction to ASP.NET Core Module.
For .net core, to setup a custom domain:
Add domain to the hosts file, something like www.yourapp.local
find the solution /.vs/applicationhost.config
Add binding e.g.:
In the web project properties > Debug add the App Url to "http://www.yourapp.local:51791/"
(replace port number as required)
For SSL, I assume you can set the above bindings and settings to https and in the web app properties > Debug tick the "Enable SSL" checkbox.
also see this answer: How to enable SSL for IIS Express in VS2015
If you're fine with the certificate validation error in your browser (or whatever client you use), you can put an entry in your hosts file:
www.yourcustomdomain.com 127.0.0.1 (or ::1 if you're on IPv6)
and then use the custom domain to reach your web site locally.
In Windows the hosts file is usually located at C:\Windows\System32\drivers\etc.
First, add an entry in the client's C:\Windows\System32\drivers\etc\hosts text file. Follow instructions in the hosts file itself.
By "develop locally" do you mean on the local machine or local network? If the latter, you must complete the following tasks (in any order).
Generate as described here and configure as described here a certificate on the server, and install it on the client.
Configure the firewall to allow access to your web API as described here.
Bind your web API to a non-localhost URL as described here and here.
I'm not sure off hand, but to get it working with IIS Express you might also need to run netsh http add urlacl as described here and here.
Some of the above links are specific to IIS Express since that's what you asked about. If using Kestrel, then vary the above tasks as follows.
To configure your certificate on the server, add this to appsettings.json:
"Kestrel": {
"Certificates": {
"Default": {
"Subject": "api.mycustomdomain.com",
"Store": "My",
"AllowInvalid": true
}
}
}
To bind your web API to a non-localhost URL, in launchSettings.json's Kestrel profile, replace the localhost part of applicationUrl's value with 0.0.0.0.