IOException (Failed to authenticate HTTPS connection) randomly after upgrading to Asp.Net Core 2.0

[mehmetilker]

There wasn't any problem using self-signed certificate on my development environment with the following configuration:

var cert = new X509Certificate2("localhost.pfx", "Pass");
hostBuilder = hostBuilder
    .UseKestrel(options =>
    {
        options.AddServerHeader = false;
        options.UseHttps(cert);
    })
    .UseUrls("https:*:5443");

After upgrading to Core 2.0 and changing configuration as follows, I am seeing IOException randomly on app console. By randomly I mean there is no problem with request/response as pages working with SSL as expected but there is problem in internal part I guess.

private static IWebHost BuildWebHostDev(string[] args)
{            
    var cert = new X509Certificate2("localhost.pfx", "Pass");
    var w = WebHost
        .CreateDefaultBuilder(args)
        .UseKestrel(options =>
        {
            options.Listen(IPAddress.Any, 5443, listenOptions =>
            {                       
                listenOptions.UseHttps(cert);
            });
        })
        .UseStartup<Startup>()               
        .Build();

    return w;
}

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 1666.9985ms 200 text/html; charset=utf-8
info: HttpsConnectionAdapter[1]
      Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.<InnerOnConnectionAsync>d__10.MoveNext()`

Here is the begging logs on app console:

warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'https://localhost:5443/'. Binding to endpoints defined in UseKestrel() instead.
Hosting environment: Development
Content root path: C:\vs2017\App\src\Project.WebSite
Now listening on: https://0.0.0.0:5443
Application started. Press Ctrl+C to shut down.

[halter73]

This basically means that something connected to the endpoint, but didn't start (or at least complete) the TLS handshake. Note that this is logged as info: because of how common this tends to be.

Maybe you can figure out what's trying to connect without a handshake? Since you're running on a nonstandard port (5443), maybe there's some client out there trying to make a standard HTTP connection to it.

[mehmetilker]

When it happens, I look at Network tab on my browser (while page was waiting idle) I do not see any request (and there is no other browser window waiting open with the localhost adress...)

I tried to use 443 instead of 5443 but I got same result.

I though there is problem with my configuration. For example when app started : "Now listening on: https://0.0.0.0:5443". It does not look like identical with my configuration.

And this is my launch settings:

"WebSite Kestrel Debug": { "commandName": "Project", "launchBrowser": false, "launchUrl": "https://localhost:443", "environmentVariables": { "ASPNETCORE_ENVIRONMENT": "Development" }, "applicationUrl": "https://localhost:443" },

Is there a way to see the request ? I expect it should be written on console along with exception but there is no any clue about the reuqest.

[cesarblum]

You could set up Wireshark to capture TLS traffic and see what is going on.

[mehmetilker]

I tried with fiddler but could not catch anything. I am closing the issue since it does not affect me on production. And as stated here (https://github.com/aspnet/KestrelHttpServer/issues/1853) this exception needs better logging to let us understand the problem.

[selvendiranj-zz]

I am also having the same issue, i suspect this is something related to webpack.

[goodtimetribe]

halter73 hit the nail on the head, but didn't quite explain the painfully easy and obvious solution... this solved it for me. http access is apparently forbidden, but you should be good with https. try adding https:// in front of the website... probably localhost or whatever... if you get a warning about a self signed certificate, go ahead and add an exception (you created it, you should trust it)