2

Problem:

Trying to use implement SSL on Kestrel/.net core

Error Message:

Managed Debugging Assistant 'FatalExecutionEngineError' has detected a problem in 'C:\my.exe'. Additional information: The runtime has encountered a fatal error. The address of the error was at 0x053150a3, on thread 0x1c44. The error code is 0xc0000005. This error may be a bug in the CLR or in the unsafe or non-verifiable portions of user code. Common sources of this bug include user marshaling errors for COM-interop or PInvoke, which may corrupt the stack.

Requested Answer:

I suspect my problem is my certificate as explained below. If this is in fact true I would appreciate a step-by-step description on how to create the .pfx file. Also, I don't understand how the cert is stored: Do IIS and IIS Express each require a distinct cert, or do they look in the registry and use a common cert?

Code:

    public static void Main(string[] args)
    {
        string env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
        var config = new ConfigurationBuilder()
            .SetBasePath(Directory.GetCurrentDirectory())
            .AddJsonFile("hosting.json", optional: true)
            .AddJsonFile($"appsettings.{env}.json", optional: false)
            .AddCommandLine(args)  // will get server.urls from command line
            .Build();

        X509Certificate2 xCert = new X509Certificate2("localhostSSLCert.pfx", config["Data:SSLPassword"]);

        var host = new WebHostBuilder()
            .UseKestrel(x => x.UseHttps(xCert))
            .UseConfiguration(config)
            .UseContentRoot(Directory.GetCurrentDirectory())
            //.UseUrls("http://localhost:53389/")
            .UseIISIntegration()
            .UseStartup<Startup>()
            .Build();

        try
        {
            host.Run();
        }
        catch (Exception ex)
        {
            string y = ex.Message;
        }
    }

What I've done to debug:

When I step through my code and look at the cert (xCert in my code) it appears to be a valid object meaning .net has read the file correctly (I see my domain name etc).
However I still suspect my problem is the cert. I've found numerous articles that attempt to explain how to generate the .pfx file. The primary article I used to generate the .pfx file I am using is this: https://blogs.msdn.microsoft.com/robert_mcmurray/2013/11/15/how-to-trust-the-iis-express-self-signed-certificate/

Other articles I've researched:

creating valid test SSL certificates for IIS http://dotnetthoughts.net/how-to-setup-https-on-kestrel/ http://rainabba.blogspot.com/2014/03/ssl-certs-for-iis-with-pfx-once-and-for.html

I am unable to export a cert using the Certificate MMC snap-in. The .pfx option is always disabled.

project.json

{
  "version": "1.0.0-*",
  "userSecretsId": "aspnet-WebApp1-c23d27a4-eb88-4b18-9b77-2a93u3b15119",
  "dependencies": {
    "Microsoft.Extensions.Logging": "1.0.0",
    "Blog.Core": "1.0.0-*",
    "Blog.Domain": "1.0.0-*",
    "Blog.Model": "1.0.0-*",
    "Blog.Services": "1.0.0-*",
    "Microsoft.Extensions.Caching.Memory": "1.0.0",
    "Microsoft.Extensions.Caching.Abstractions": "1.0.0",
    "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
    "Microsoft.AspNetCore.Session": "1.0.0",
    "Microsoft.Extensions.Configuration.EnvironmentVariables": "1.0.0",
    "Microsoft.Extensions.Configuration.FileExtensions": "1.0.0",
    "Microsoft.Extensions.Configuration.Json": "1.0.0",
    "Microsoft.Extensions.Logging.Console": "1.0.0",
    "Microsoft.Extensions.Logging.Debug": "1.0.0",
    "NETStandard.Library": "1.6.0",
    "Autofac.Extensions.DependencyInjection": "4.0.0",
    "Microsoft.Extensions.Configuration.CommandLine": "1.0.0",
    "Microsoft.AspNetCore.Mvc": "1.0.1",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
    "Autofac": "4.1.1",
    "Microsoft.ApplicationInsights.AspNetCore": "1.0.2",
    "Microsoft.AspNetCore.Server.Kestrel.Https": "1.0.1"
  },

  "tools": {
    "Microsoft.AspNetCore.Server.IISIntegration.Tools": "1.0.0-preview2-final"
  },

  "frameworks": {
    "net462": {
      "frameworkAssemblies": {
        "System.Drawing": "4.0.0.0"
      }
    }
  },
  "buildOptions": {
    "emitEntryPoint": true,
    "preserveCompilationContext": true
  },
  "runtimeOptions": {
    "gcServer": true
  },
  "publishOptions": {
    "include": [
      "wwwroot",
      "Views",
      "appsettings.json",
      "appsettings.prod.json",
      "appsettings.development.json",
      "logs",
      "web.config"
    ]
  },

  "scripts": {
    "postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath% --framework %publish:FullTargetFramework%" ]
  }
}
Improve this question
1
  • Thank you, I believe my problem is generating the .pfx file. The example shows a different overload of UseHttps which I have tried. Commented Oct 10, 2016 at 15:44

1 Answer 1

Reset to default
2

To be sure that problem is only with your certificate, try to use test certificate from Kestrel sample.

  1. As certificate needs a password (testPassword), use second version of KestrelServerOptions.UseHttps(). Example from github sample:

    var host = new WebHostBuilder()
  .UseKestrel(options =>
  {
    // options.ThreadCount = 4;
    options.NoDelay = true;
    options.UseHttps("testCert.pfx", "testPassword");
    options.UseConnectionLogging();
  })
  .UseUrls("http://localhost:5000", "https://localhost:5001")

  2. Don't forget to include certificate to publish process (include in publishOptions in project.json).

    "publishOptions": {
    "include": [
          ...,
           "testCert.pfx"
           ]
 }
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

>looks like you forget to include certificate to publish process (in publishOptions) -- Please clarify, thx.
thanks for the publish tip - in my case I am not publishing, just trying to get it working on IIS Express.
@Sam If your code works with test certificate, then you can close current question as you have correct configurationof SSL and just ask/search on SO how to generate correct .pfx file, or update current question
My code crashes with the same error using the test cert. Thx.
@Sam: In 99.9% of all cases you don't need Kestrel to serve the certificate and let the reverse proxy handle that (usually IIS for WIndows or nginx on Linux), because you should never expose Kestrel directly to the internet, only your reverse proxy. So the encryption needs only happen from there to the user
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.