I am in the process of upgrading my .NET Framework application (UI and API) to use .NET 7.0.
I have just deployed my application to my production server and I am met with an issue.
As I am using – app.UseHttpsRedirection();
when I browse to my website locally on the server on localhost url it is not finding a valid certificate and I am having to proceed when prompted in the browser for the page to become available.
In my previous .NET Framework version, there was no setting for UseHttpsRedirection
and I could browse to my application over HTTP just fine, and when accessing my application outwith the server from a browser where I am using an AWS ELB to handle traffic to the site with a listener on HTTPS, I have imported my SSL certificate into the cert manager in AWS and referenced it in Route 53 in the DNS record for my site, which works fine.
Unfortunately when AWS tries to redirect to the latest version the application is timing out and I am perplexed as to why?
I have tried to create my certificate again as a pfx and import it into IIS on the prod server however when browsing over localhost it says the cert is not valid, I can only imagine this is because the cert is exclusive to my domain name? But is this even a necessary step?
I removed the app.UseHttpsRedirection();
and also modified my launchSettings.json
to remove the https start url (to try and mimic the framework version). On doing this when AWS redirected me to my app, the starting url was over HTTP (and timed out) however when I modified the URL to use HTTPS I saw my app! I don’t understand why my .NET framework app worked without any modification and was always served over HTTPS outwith the server, but the latest upgrade doesn’t have the same behavior?
I have rolled back to my previous version until I figure this out.
2
Answers
IT’s depends how serving your application?
If you are using default Kestrel, you will need configure it on you appsettings.json
If you are using IIS, did you bind the HTTPS port with valid certificate imported to Windows certificate manager?
Other than that, not sure what is your AWS infra, are you using ELB/API GW/EC2/etc.?
Route53 is a DNS service, not related to your certificate.
That is expected: If you are browsing to the site using localhost or the server’s local IP, the certificate is not going to be valid because it is issued for your domain name, not for localhost or an IP address. It does not affect users accessing the site via your domain name.
That means the HTTPS termination was handled at the level of the AWS Elastic Load Balancer (ELB) in your previous setup.
The SSL/TLS certificate was installed on the load balancer, and the load balancer was responsible for encrypting and decrypting traffic to and from the client. This is a common pattern and is generally recommended because it offloads the computational overhead of SSL/TLS encryption/decryption from the application servers.
When a client connected to your website, the connection would be over HTTPS to the ELB. However, the connection from the ELB to your application servers could be over HTTP, which is why you did not need to use
UseHttpsRedirection
in your application.With your upgrade to .NET 7 and the inclusion of
UseHttpsRedirection
, the application is now enforcing HTTPS for all connections. This could be causing issues with the way traffic is routed between the ELB and your application servers.If you want to maintain the previous behavior, where HTTPS is handled at the ELB level and HTTP is used between the ELB and your servers, you might consider removing the
UseHttpsRedirection
middleware from your application.Remember that this approach is fine from a security standpoint as long as the traffic between the ELB and your application servers is within a secure network, such as within an AWS VPC. This is known as SSL/TLS termination at the load balancer.
However, it is also worth noting that .NET 7 has introduced the ability to specify separate HTTP and HTTPS profiles (as illustrated in
dotnet/aspnetcore
issue 44722, which might give you more flexibility in managing your traffic patterns.