27

I am using ASP.NET Core. I have two projects:

  1. ASP.NET Core MVC application
  2. ASP.NET Core Web API application

If I attempt to access one of the Web API endpoints using Postman, I do not have any issues; the /api/values endpoint returns as expected. (This is the standard test endpoint.)

If I attempt the same operation using the MVC application, however, I get a very frustrating error:

HttpsConnectionFilter[1]
Failed to authenticate HTTPS connection

I am hosting using Kestrel for ASP.NET Core.

I have a self-signed PFX certificate I created using PowerShell, and this is the code throwing the exception:

var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2("localcert.pfx", "xxx"));
var client = new HttpClient(handler);

var content = await client.GetStringAsync("https://localhost:44301/api/values");

And I get the same error if I were to run this:

var client = new HttpClient();
var content = await client.GetStringAsync("https://localhost:44301/api/values");

My Kestrel setup is like so in my Program.cs:

var cert = new X509Certificate2("localcert.pfx", "xxx");

var host = new WebHostBuilder()
  .UseKestrel(cfg => cfg.UseHttps(cert))
  .UseUrls("https://localhost:44300")
  .UseContentRoot(Directory.GetCurrentDirectory())
  .UseIISIntegration()
  .UseStartup<Startup>()
  .Build();

host.Run();

I know I defined the certificate again for the HttpClient above, but I am desperate.

Can anyone offer some insight as to why this is happening and how I can go about fixing it, or even debugging it? I am currently in the process of stepping through the KestrelHttpServer code to see if that will offer some insight.

This is the full error I get from the Kestrel console window:

info: HttpsConnectionFilter1 Failed to authenticate HTTPS connection. System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.d__6.MoveNext()

Improve this question
0

2 Answers 2

Reset to default
31

The most straight forward solution I found for this problem was to remove the cert and add it with the trust flag.

dotnet dev-certs https --clean
dotnet dev-certs https --trust

PS. I know this is old but I am just going to leave this here for someone that might stumble to this issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This has caught me out so many times! I wish I could upvote your answer every time but alas, I cannot. I am leaving this comment so that the next time it happens to me, I will be even more embarassed.
3

I had the same problem. After many hours of checking everything possible and even some impossible stuff, I managed to trace it back to wrongly generated SSL certificate.

I was creating mine according to this manual: How to: Create Your Own Test Certificate.

The certificate is generated using this command:

makecert -sv yourprivatekeyfile.pvk -n "cert name" yourcertfile.cer -r

where if -r is omitted, described error occurs.

Then pfx must be generated according to the manual. If one uses just cer, Kestrel will not start successfully.

I solved it by generating a new SSL certificate.

Improve this answer

4 Comments

I'm glad you got it working. I will try this evening and hopefully share your success :)
I've still got the same issue, creating a certificate from PowerShell like here: blogs.msdn.microsoft.com/webdev/2017/11/29/…
makecert has been deprecated, and we should use powershell commandlet New-SelfSignedCertificate
this is usefull too:learn.microsoft.com/en-us/answers/questions/25701/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.