Add support for LetsEncrypt certificate acquisition and rotation in Kestrel

[Eilon]

Original issue: https://github.com/aspnet/Home/issues/1190

cc @blowdart

[cwe1ss]

Thx for creating this issue! Some feature requests:

• It should be possible to use the Let’s Encrypt staging server for dev purposes
• It should be possible to create wildcard certificates
• The certificate storage should be pluggable and support multi-instance scenarios
• There should be an Azure Key Vault storage provider

[Eilon]

BTW one option to consider is making sure that Kestrel has any/all required hooks for this to be community-implemented (and maybe that's already the case).

[Tratcher]

The SNI callback added in 2.1 should be all that's needed to plug in a separate implementation. @natemcmaster did your prototype need any additional hooks?

[natemcmaster]

No, but I had to write some code that felt ugly in order to set the SNI callback to use a method on a service from DI.

See https://github.com/natemcmaster/LetsEncrypt/blob/6e5d6d96b20ed2302bfe9bfb5afe3b30d0307488/src/McMaster.AspNetCore.LetsEncrypt/Internal/KestrelOptionsSetup.cs

[Tratcher]

Yeah, I wouldn't want an end user to have to write that code but it looks reasonable if a LetsEncrypt implementation provided it.

[davidfowl]

We could make the selector an interface instead of just being a delegate.

[Tratcher]

And auto-resolve it from DI? The selector needs to be uniquely assignable per endpoint.

[LazerFX]

I'd like, if this goes ahead, to request support of the X-Path-* headers so that even if you're running Kestrel inside a container, behind a load balancer, behind a proxy it can still get the right certificate.

[SommerEngineering]

Is there any news on this e.g. for ASP.NET Core 3?

[Eilon]

@SommerEngineering this is not planned for ASP.NET Core 3 as a built-in feature, but we are considering options around having a proper sample and documentation that demonstrates how to do this.

[Emalton]

That would be amazing @Eilon!

[razfriman]

This would be amazing. Please prioritise this. HTTPS is not easy at the moment with kesteel

[natemcmaster]

I cleaned up the prototype that I wrote last year and have decided to release this to the public as a personal project. It works with ASP.NET Core 2.1, 2.2, and 3.0. Hopefully someone will find this useful.

https://github.com/natemcmaster/LetsEncrypt

[MaxDZ8]

I plan to experiment with the proposed library ASAP. Thank you @natemcmaster . I guess the best would be your library goes like JSON.NET which is not part of core but basically de facto standard.

For the time being, I would like to elaborate on our needs.

The company I work for is transitioning from embedded development to IoT. We do not have specific security professionals in house. We need to secure edge servers so it is my understanding wildcards are critical to us.

Looking at how this issue goes on.

[ghost]

Thanks for contacting us. We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[RehanSaeed]

FYI, LettuceEncrypt is now in maintenance mode only, see announcement:

https://github.com/natemcmaster/LettuceEncrypt/issues/189

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.