bagetter / BaGetter

A lightweight NuGet and symbol server
https://www.bagetter.com
MIT License
272 stars 57 forks source link

Auto-generate self-signed certificates in Kestral #141

Open hitchhiker opened 6 months ago

hitchhiker commented 6 months ago

I have no need for TLS security, but MS is removing HTTP, here's my use case: https://github.com/NuGet/docs.microsoft.com-nuget/issues/3295

Would it be possible to allow Kestral to generate a self-signed certificate, to eliminate the need for extra configuration / maintenance?

An example of that: https://itniels.com/2020/05/19/aspnet-core-starting-kestrel-with-generated-selfsigned-certificate/

seriouz commented 6 months ago

@hitchhiker So far I haven't thought about what exactly happens if Microsoft disables http access completely. If they still check the validity of certificates, we really have to come up with something clever.

hitchhiker commented 6 months ago

Hey @seriouz - they have a flag that they've added to 8.0.400 that will allow us to skip validation, I don't know if that includes HTTP (and can't find information on it yet).

disableTLSCertificateValidation=true

While it would be better for folks in our context to just to use HTTP (as self-hosted, in a private network we have no use for TLS), if the flag doesn't allow that it will at least allow us to use a self-signed / temporary / self-generated cert.

https://github.com/NuGet/Home/issues/13478

seriouz commented 6 months ago

Thank you for this information. I think we'll go for: Allowing to add custom certs. And when none is found, a self signed will be used. Probably we could add a notice to the ui explaining the disableTLSCertificateValidation=true property.

hitchhiker commented 6 months ago

https://github.com/NuGet/docs.microsoft.com-nuget/issues/3295#issuecomment-2125360562

They replied, the flag 'allowInsecureConnections' (available already) suppresses the warnings / errors and allow the process to continue with HTTP. I tried it, and it's working as expected. I am publishing with a local HTTP feed without issue.

Thanks for your time, and this refreshed project!