0

I have a Windows Service hosted web app created with this tutorial (Web Application as Windows Service section): https://csharp.christiannagel.com/2022/03/22/windowsservice-2/

So far everything works. I need set HTTPS endpoint for this app, but I always get the same error message after I try start my service (details below).

For next step I need setup HTTPS endpoint for this app in appsettings.json with thumbprint:

"Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://*:5010"
      },
      "Https": {
        "Url": "https://*:5011",
        "Certificate": {
          "Thumbprint": "D24422F5A62359FAD4B18EBE27A5C14735879333",
          "Store": "My",
          "Location": "LocalMachine",
          "AllowInvalid": "false"
        }
      }
   }
}

The certificate is a DigiCert signed production certificate (not developer certificate).

I imported it to LocalMachine\My store with certlm GUI. I read the thumbprint from store and set in appsettings.json.

Every time I try start my service with these settings it will stop after 2-3 seconds and I see the following error in the eventlog:

CoreCLR Version: 6.0.2023.32017
.NET Version: 6.0.20
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date. To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.

at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
at Microsoft.AspNetCore.Builder.WebApplication.Run(String url)
at Program.$(String[] args)

I try every combination of settings and install it to another store etc. the error is always the same.

Only thing that works, when I set the certificate with PFX file:

"Kestrel": {
   "Endpoints": {
      "Http": {
        "Url": "http://*:5010"
      },
      "Https": {
        "Url": "https://*:5011",
        "Certificate": {
            "Path": "C:\\CERT\\MY.pfx",
            "Password": "Pass1234"
        }
      }
   }
}

But I cannot follow this way, I must use thumbprint instead of a hardcoded password.

The permission of the certificate is set for Everyone (for test), but nothing changes.

Can you help me please how can I make this working? Thanks!

Improve this question

1 Answer 1

Reset to default
0

There is no option to select certificate by thumbprint according to this document https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-7.0#listenoptionsusehttps . This is also discussed here. https://github.com/dotnet/aspnetcore/issues/4385 .

You could use the option which select certificate by subject (CN). Find the "subject" value and use like below.
enter image description here

        "Certificate": {
          "Subject": "xxxxxx",
          "Store": "My",
          "Location": "LocalMachine",
          "AllowInvalid": "false"
        }

Then it will work.

---------------------update--------------
I can reproduced the error " cannot find certificate" if I remove the CA certificate from "Trusted root Certificate Authority". So make sure your CA root( "Digicert" ,normally installed on every computer) and "intermediate root" (issuer chain) are all installed to Trusted root.
Maybe you can download from here https://www.digicert.com/kb/digicert-root-certificates.htm. enter image description here

--------cert is issued for all purpose------------ enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thank you! I tried this before but not working. The error message is different. Just now I try it again, the result is: ibb.co/kDXFLTv Alternativelly I tried list the subjects with powershell to console window and copy/paste the subject to appsettings.json, but same result. Seems the system could not find the certificate.
@SZL I reproduced and update the answer, you could have a check.
The Trusted Root store already contains the DigiCert items: ibb.co/NYKrsL4 in my case. Can you check it please that your certificate contains the following enhanced key OID: "1.3.6.1.5.5.7.3.1"? Thank you!
@SZL sorry I just used self-signed CA for testing, don't have a digicert certificate.
When you have self-signed cert, propably you have the OID: "1.3.6.1.5.5.7.3.1". I created a debug web app: when I define the certificate details (subject) in program.cs and the certificate has enhanced key OID: "1.3.6.1.5.5.7.3.1", then works fine. From appsettings.json the same certificate not working when I define it with Subject as in your post. System.InvalidOperationException: The requested certificate localhost could not be found in LocalMachine/My with AllowInvalid setting: False. I thinking about leave appsettings.json and define the settings in program.cs. It can be a bug too...
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.