C
C#5mo ago
Core

✅ Can .NET handle SSL certificates at runtime?

Hello, I need to issue/handle SSL certificates for every domain that points to my own domain (users can add their domains to trough a Web API at runtime). Is it possible to provide certificates when requests come in from different domains?
21 Replies
canton7
canton75mo ago
I'm assuming you're planning to use something like LetsEncrypt to issue the certificates? (as opposed to self-signing or something)
Core
CoreOP5mo ago
Yes that is waht I am planning to use
canton7
canton75mo ago
ACME Client Implementations
Last updated: Jul 2, 2024 | See all Documentation Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use. The ACME clients below are offered by third parties. Let’s Encrypt does not control...
canton7
canton75mo ago
There are also some more options if you google for ".net acme" Hmm, looks like some of the C# implementations on that page are tagged as "C#", some as ".net", and some are just in the "Windows" section
Core
CoreOP5mo ago
This is double, thanks. What is not yet clear to me: a https request is made towards the API to return certain entities from the database, but the API is the also the one handling the certificates. Before even the request reaches the API the secure connection (handshake) should be established between the client and server. It is only after that when the endpoint is reacted. Isn't it how it works?
canton7
canton75mo ago
If you're making a HTTPS / TLS connection, yes the certificate exchange and validation is done before anything else When you talk about "the API", is that an API accessed using your domain, or one of the domains which a user has added?
Core
CoreOP5mo ago
One of the domains which a user has added
canton7
canton75mo ago
And what do you mean by "the one handling certificates"? "handling" in what sense?
Core
CoreOP5mo ago
It should obtain an ssl certificate for a domain added by a user, and also present it to a client (e.g. browser) when the domain is reached. Since their domain points to mine, the API is reached trough their domain
canton7
canton75mo ago
Why would you need a dedicated API to give the certificate to the user? Certificate exchange happens on any HTTPS connection LetsEncrypt's HTTP-01 challenge (where you put a token in a special file, and they request that file and read the token) happens over HTTP, not HTTPS. They will follow a redirect (e.g. to a HTTPS URL), but they don't care if the certificate you give is invalid So you don't need to worry about needing HTTPS set up (with a valid certificate) in order for the certificate issuance process with LetsEncrypt to work. Otherwise it would be impossible to ever get a certificate from them! https://letsencrypt.org/docs/challenge-types/#http-01-challenge
Core
CoreOP5mo ago
Thank you so much, I will need to inform myself a bit more in this topic
canton7
canton75mo ago
$close
MODiX
MODiX5mo ago
If you have no further questions, please use /close to mark the forum thread as answered
Core
CoreOP5mo ago
Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. Does this mean the process of obtaining SSL certificates can happen on multiple threads simultaneously, since the URL has a dynamic parameter TOKEN?
canton7
canton75mo ago
I think threads are irrelevant, but yes you can get certificates for multiple domains at the same time The TOKEN is there so that the verification for one domain isn't confused with the verification for another domain
Core
CoreOP5mo ago
The certificate exchange is unclear to me. I understand that I can obtain a certificate for the domains, but what then? Shouldn't it be stored, how does the protocol know where to pull the certificate from in order to have a secure communication?
canton7
canton75mo ago
The client makes a TLS connection, and says "Hello, I would like to connect to xyz.com", and your server says "Hello, I am the server for xyz.com, and this is my certificate to prove it". They then do some crypto stuff which lets the server prove that it is the machine named in the certificate, and the client does some crypto stuff to verify that the certificate was issued by someone that it trusts, like LetsEncrypt In a server such as Apache / Nginx, you can set up "virtual hosts", which map a domain name onto a set of configuration, including the certificate (and key) to use for that domain If asp.net is the thing handling HTTPS, I'm honestly not sure how you could dynamically configure it to use different certificates for different domains. If you're using Kestrel, this looks relevant: https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.https.httpsconnectionadapteroptions.servercertificateselector?view=aspnetcore-8.0 You could also have a single certificate which has all of the domains you want to secure as Subject Alternate Names, and you re-issue the entire certificate whenever anyone adds/removes a domain, but 1) This means that anyone can see all of the domains which you support, and 2) You might be re-issuing it a lot, and 3) There is a limit to the total number of Subject Alternate Names
Core
CoreOP5mo ago
I needed to go away from home, I will look into the Kestrel one once I get home. A single certificate is not the right solution. As far as I know I can configure many domain/certificate in an Nginx config, but that would be a static file
canton7
canton75mo ago
It really depends on what is doing your TLS termination Whether that's nginx, apache, kestrel, IIS, cloudflare, AWS, etc They'll all have their own ways of letting you specify the cert to use for a domain Apparently something like this exists for nginx: https://diarmuid.ie/blog/setup-mass-dynamic-virtual-hosts-on-nginx
Core
CoreOP5mo ago
Yeah, I have already tried out Cloudflare, but since they are already a reverse proxy I can't manage certificates individually, only if big bucks are paid You helped me a lot, thank you very much $close
MODiX
MODiX5mo ago
If you have no further questions, please use /close to mark the forum thread as answered
Want results from more Discord servers?
Add your server