0

I have a Service Fabric with a stateless service following the gateway pattern listening for HTTP requests and then forwarding them to the business logic in the cluster. That works great. Now I'm trying to add HTTPS support. The gateway project is using ASP.NET Core 1.0 (on NET461) and I'm on Service Fabric SDK 5.1.150, Visual Studio 2015 Update 3. If I start the gateway project manually (set as startup project) then I can hit the HTTPS endpoint, but when I run it via the cluster then the port is open, but it closes right away, I'm getting "localhost unexpectedly closed the connection." in Chrome. Here's my startup code:

                builder
                 .UseKestrel(options => 
                 {
                     options.NoDelay = true;
                     options.ThreadCount = 1024;

                     if (sslCert != null)
                     {
                         options.UseHttps(sslCert);
                     }
                 })
                 .UseUrls("http://*:5402", "https://*:5403")
                 .UseContentRoot(System.IO.Directory.GetCurrentDirectory())
                 .UseStartup<Startup>()
                 .Build()
                 .Run();

What may be unique is that I'm trying to use Kestrel, but I've followed a sample using this (except that the sample didn't do HTTPS). The sslCert variable is set, again if I run it with this project as a startup project in VS then I can handle the HTTPS requests.

I have configured the endpoint in the cluster, but it doesn't seem to make a difference, I can still hit the tcp port if I leave it out. Any suggestions/samples?

Haukman
  • 3,726
  • 2
  • 21
  • 33

2 Answers2

1

I assume you referenced a cert that was installed into a local cert store (e.g. LOCAL_MACHINE). If that's the case, make sure you have configured the correct permissions for the private key.

To cut a long story short, the default ACL on the private key does not allow NETWORK SERVICE account to access the cert’s key. When the cert is installed by Azure, only SYSTEM and Administrators are granted Full Control and Read permissions on the private key. All Service Fabric services are running under NETWORK SERVICE and therefore could not access the private key.

The solution is to add NETWORK SERVICE and grant Read (yes, just Read, and no full control) permissions as follows:

enter image description here

Happy Service Fabric programming!

user3946037
  • 41
  • 1
0

I could be wrong, but at the time of writing (July 2016) I didn't think Kestrel did https.

The approach I've taken is to use an application gateway to terminate both http and https and then forward onto an HTTP socket inside service fabric.

I know it doesn't answer your question explicitly, but I think it is the correct solution.

Nick Randell
  • 17,805
  • 18
  • 59
  • 74
  • 1
    Kestrel does support HTTPS nowadays. http://dotnetthoughts.net/how-to-setup-https-on-kestrel/ And the above answer works for us (using Kestrel). – Haukman Jul 07 '16 at 21:17