search

natemcmaster / LettuceEncrypt

Free, automatic HTTPS certificate generation for ASP.NET Core web apps
https://nuget.org/packages/LettuceEncrypt
Apache License 2.0
1.59k stars 154 forks source link

Compatibility with HTTP/3 #228

Open MarkCiliaVincenti opened 2 years ago

MarkCiliaVincenti commented 2 years ago

Has this been tested with HTTP/3 yet please? I'm running into issues whereby the application shuts down if I try enabling HTTP/3.

natemcmaster commented 2 years ago

No, it hasn't been tested. Please share more details about the error and how to reproduce the issue.

MarkCiliaVincenti commented 2 years ago

I tried but failed to debug the issue. I worked around it by creating https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt

This is basically a Kestrel service that listens on port 80, uses LettuceEncrypt, exporting the .pfx to the domain name requested and permanently redirecting any HTTP traffic on port 80 to HTTPS.

Then in my actual Kestrel app I just give it the path of the created pfx files, and there I can use HTTP/3.

Tratcher commented 2 years ago

Interesting, we had this working in our HTTP/3 test setup, though I guess we didn't have an http/80 endpoint. https://github.com/sebastienros/dotnet-http3/blob/2db113755ad2adf1ebcf151721a18805e9539c67/Program.cs#L17-L22

natemcmaster commented 2 years ago

Thanks for the description. https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt returns HTTP 404 for me so I don't have a repro yet. @Tratcher's comment makes me think that LettuceEncrypt should be working, but I'll leave this open in case anyone can provide a minimal repro of the problem.

MarkCiliaVincenti commented 2 years ago

I addressed the issues in https://github.com/MarkCiliaVincenti/Tlscertificateloader instead and switched to using Certbot. Certainly LettuceEncrypt and Certes don't allow you to load HTTP/3 with full chain on Linux while also listening on port 80 to redirect traffic to HTTPS.

On Sat, 13 Nov 2021, 05:32 Nate McMaster, @.***> wrote:

Thanks for the description. https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt returns HTTP 404 for me so I don't have a repro yet. @Tratcher https://github.com/Tratcher's comment makes me think that LettuceEncrypt should be working, but I'll leave this open in case anyone can provide a minimal repro of the problem.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/natemcmaster/LettuceEncrypt/issues/228#issuecomment-967778524, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF7U7YHAS6TVOJ7DVHMMGLLULXS4RANCNFSM5HEBVLTQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

MarkCiliaVincenti commented 2 years ago

Interesting, we had this working in our HTTP/3 test setup, though I guess we didn't have an http/80 endpoint. https://github.com/sebastienros/dotnet-http3/blob/2db113755ad2adf1ebcf151721a18805e9539c67/Program.cs#L17-L22

Are you sure this works? I tried it (without using Docker, admittedly) on Ubuntu 20.04 (with libmsquic installed of course) and got the following:

info: LettuceEncrypt.Internal.AcmeClient[0]
      Using certificate authority https://acme-v02.api.letsencrypt.org/directory
Unhandled exception. System.NotSupportedException: The OnAuthenticate callback is not supported with HTTP/3.
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.BindAsync(EndPoint endPoint, MultiplexedConnectionDelegate multiplexedConnectionDelegate, ListenOptions listenOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.<>c__DisplayClass30_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.EndpointsStrategy.BindAsync(AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IEnumerable`1 listenOptions, AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Microsoft.AspNetCore.Builder.WebApplication.Run(String url)
   at Program.<Main>$(String[] args) in C:\Users\user\Source\Repos\dotnet-http3\Program.cs:line 31

And that's besides the other problem that it doesn't send the full chain as per https://github.com/natemcmaster/LettuceEncrypt/issues/229

ghost commented 1 year ago

Same issue. .NET 7, latest version everything image

SajjadToomari commented 1 year ago

Any updates?

MarkCiliaVincenti commented 1 year ago

Any updates?

Use https://github.com/MarkCiliaVincenti/Tlscertificateloader with Certbot.

judilsteve commented 1 year ago

I am also experiencing this issue, with the same error message of "The OnAuthenticate callback is not supported with HTTP/3".

The error message suggests that LettuceEncrypt will need to be reworked somewhat to avoid using that callback if it is to support HTTP/3.

The source code throwing the exception can be viewed here: https://source.dot.net/#Microsoft.AspNetCore.Server.Kestrel.Core/Middleware/HttpsConnectionMiddleware.cs,507

Dotnet 7, libmsquic 2.1.7, Ubuntu Server 22.04.1 (arm64).

ArnimSchinz commented 10 months ago

I hope this issue gets addressed, since I do not want to change to certbot again, but this is keeping me from using HTTP3 for quite some time now.

MarkCiliaVincenti commented 10 months ago

I hope this issue gets addressed, since I do not want to change to certbot again, but this is keeping me from using HTTP3 for quite some time now.

Have you tried using https://github.com/MarkCiliaVincenti/Tlscertificateloader

?

ArnimSchinz commented 10 months ago

Without digging in too deep: Is it possible to combine both, so I must never even once use certbot?

MarkCiliaVincenti commented 10 months ago

Without digging in too deep: Is it possible to combine both, so I must never even once use certbot?

No this library will not do renewals for you. But there are other .NET libraries that just do the renewals for you. I created this project for personal use but put it public so that others could use it. Personally used certbot and set it once and forgot about it.