16
votes

I am using ASP.NET Core. I have two projects:

  1. ASP.NET Core MVC application
  2. ASP.NET Core Web API application

If I attempt to access one of the Web API endpoints using Postman, I do not have any issues; the /api/values endpoint returns as expected. (This is the standard test endpoint.)

If I attempt the same operation using the MVC application, however, I get a very frustrating error:

HttpsConnectionFilter[1]
Failed to authenticate HTTPS connection

I am hosting using Kestrel for ASP.NET Core.

I have a self-signed PFX certificate I created using PowerShell, and this is the code throwing the exception:

var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2("localcert.pfx", "xxx"));
var client = new HttpClient(handler);

var content = await client.GetStringAsync("https://localhost:44301/api/values");

And I get the same error if I were to run this:

var client = new HttpClient();
var content = await client.GetStringAsync("https://localhost:44301/api/values");

My Kestrel setup is like so in my Program.cs:

var cert = new X509Certificate2("localcert.pfx", "xxx");

var host = new WebHostBuilder()
  .UseKestrel(cfg => cfg.UseHttps(cert))
  .UseUrls("https://localhost:44300")
  .UseContentRoot(Directory.GetCurrentDirectory())
  .UseIISIntegration()
  .UseStartup<Startup>()
  .Build();

host.Run();

I know I defined the certificate again for the HttpClient above, but I am desperate.

Can anyone offer some insight as to why this is happening and how I can go about fixing it, or even debugging it? I am currently in the process of stepping through the KestrelHttpServer code to see if that will offer some insight.

This is the full error I get from the Kestrel console window:

info: HttpsConnectionFilter1 Failed to authenticate HTTPS connection. System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionFilter.d__6.MoveNext()

2

2 Answers

12
votes

The most straight forward solution I found for this problem was to remove the cert and add it with the trust flag.

dotnet dev-certs https --clean
dotnet dev-certs https --trust

PS. I know this is old but I am just going to leave this here for someone that might stumble to this issue.

3
votes

I had the same problem. After many hours of checking everything possible and even some impossible stuff, I managed to trace it back to wrongly generated SSL certificate.

I was creating mine according to this manual: How to: Create Your Own Test Certificate.

The certificate is generated using this command:

makecert -sv yourprivatekeyfile.pvk -n "cert name" yourcertfile.cer -r

where if -r is omitted, described error occurs.

Then pfx must be generated according to the manual. If one uses just cer, Kestrel will not start successfully.

I solved it by generating a new SSL certificate.