Skip to content

Kestrel default certificate not loading full chain #52511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
lindeberg opened this issue Dec 1, 2023 · 1 comment
Closed
1 task done

Kestrel default certificate not loading full chain #52511

lindeberg opened this issue Dec 1, 2023 · 1 comment
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions feature-kestrel

Comments

@lindeberg
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

In .NET 8 with Kestrel, the exposed certificate is not full-chain when using these environment variables:

ASPNETCORE_HTTPS_PORTS=8443
Kestrel__Certificates__Default__Path: <path to .crt file>
Kestrel__Certificates__Default__KeyPath: <path .keyfile>

But when using these environment variables, the exposed certificate is full-chain:

Kestrel__EndPoints__Https__Url: https://+:8443
Kestrel__EndPoints__Https__Certificate__Path: <path to .crt file>
Kestrel__EndPoints__Https__Certificate__KeyPath: <path .keyfile>

Expected Behavior

The exposed certificate should be full-chain when using these environment variables:

ASPNETCORE_HTTPS_PORTS=8443
Kestrel__Certificates__Default__Path: <path to .crt file>
Kestrel__Certificates__Default__KeyPath: <path .keyfile>

Steps To Reproduce

In a .NET 8 Kestrel application

  1. Have a .crt and key file with a chained certificate
  2. Add these environment variables:
ASPNETCORE_HTTPS_PORTS=8443
Kestrel__Certificates__Default__Path: <path to .crt file>
Kestrel__Certificates__Default__KeyPath: <path .keyfile>
  1. Start the application
  2. Examine the certificate with for example OpenSSL: openssl s_client -connect localhost:<port>
  3. Notice only the leaf certificate is exposed

Exceptions (if any)

No response

.NET Version

8.0.100

Anything else?

No response
@ghost ghost added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Dec 1, 2023
@martincostello martincostello added area-hosting Includes Hosting feature-kestrel area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions area-hosting Includes Hosting labels Dec 1, 2023
@amcasey
Copy link
Member

amcasey commented Dec 1, 2023

@lindeberg Thanks for the clear write-up! I believe this is captured in #43193.

@amcasey amcasey closed this as completed Dec 1, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions feature-kestrel
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martincostello @amcasey @lindeberg