LettuceEncrypt icon indicating copy to clipboard operation
LettuceEncrypt copied to clipboard

Published 20 hours ago verified publisher icon natemcmaster

Compatibility with HTTP/3

Open MarkCiliaVincenti opened this issue 3 years ago • 14 comments

Has this been tested with HTTP/3 yet please? I'm running into issues whereby the application shuts down if I try enabling HTTP/3.

MarkCiliaVincenti avatar Nov 01 '21 13:11 MarkCiliaVincenti

No, it hasn't been tested. Please share more details about the error and how to reproduce the issue.

natemcmaster avatar Nov 02 '21 20:11 natemcmaster

I tried but failed to debug the issue. I worked around it by creating https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt

This is basically a Kestrel service that listens on port 80, uses LettuceEncrypt, exporting the .pfx to the domain name requested and permanently redirecting any HTTP traffic on port 80 to HTTPS.

Then in my actual Kestrel app I just give it the path of the created pfx files, and there I can use HTTP/3.

MarkCiliaVincenti avatar Nov 03 '21 11:11 MarkCiliaVincenti

Interesting, we had this working in our HTTP/3 test setup, though I guess we didn't have an http/80 endpoint. https://github.com/sebastienros/dotnet-http3/blob/2db113755ad2adf1ebcf151721a18805e9539c67/Program.cs#L17-L22

Tratcher avatar Nov 03 '21 16:11 Tratcher

Thanks for the description. https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt returns HTTP 404 for me so I don't have a repro yet. @Tratcher's comment makes me think that LettuceEncrypt should be working, but I'll leave this open in case anyone can provide a minimal repro of the problem.

natemcmaster avatar Nov 13 '21 04:11 natemcmaster

I addressed the issues in https://github.com/MarkCiliaVincenti/Tlscertificateloader instead and switched to using Certbot. Certainly LettuceEncrypt and Certes don't allow you to load HTTP/3 with full chain on Linux while also listening on port 80 to redirect traffic to HTTPS.

On Sat, 13 Nov 2021, 05:32 Nate McMaster, @.***> wrote:

Thanks for the description. https://github.com/MarkCiliaVincenti/LetsNotWorryHowToEncrypt returns HTTP 404 for me so I don't have a repro yet. @Tratcher https://github.com/Tratcher's comment makes me think that LettuceEncrypt should be working, but I'll leave this open in case anyone can provide a minimal repro of the problem.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/natemcmaster/LettuceEncrypt/issues/228#issuecomment-967778524, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF7U7YHAS6TVOJ7DVHMMGLLULXS4RANCNFSM5HEBVLTQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

MarkCiliaVincenti avatar Nov 13 '21 06:11 MarkCiliaVincenti

Interesting, we had this working in our HTTP/3 test setup, though I guess we didn't have an http/80 endpoint. https://github.com/sebastienros/dotnet-http3/blob/2db113755ad2adf1ebcf151721a18805e9539c67/Program.cs#L17-L22

Are you sure this works? I tried it (without using Docker, admittedly) on Ubuntu 20.04 (with libmsquic installed of course) and got the following:

info: LettuceEncrypt.Internal.AcmeClient[0]
      Using certificate authority https://acme-v02.api.letsencrypt.org/directory
Unhandled exception. System.NotSupportedException: The OnAuthenticate callback is not supported with HTTP/3.
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.CreateHttp3Options(HttpsConnectionAdapterOptions httpsOptions)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.BindAsync(EndPoint endPoint, MultiplexedConnectionDelegate multiplexedConnectionDelegate, ListenOptions listenOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.<>c__DisplayClass30_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.EndpointsStrategy.BindAsync(AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IEnumerable`1 listenOptions, AddressBindContext context, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Microsoft.AspNetCore.Builder.WebApplication.Run(String url)
   at Program.<Main>$(String[] args) in C:\Users\user\Source\Repos\dotnet-http3\Program.cs:line 31

And that's besides the other problem that it doesn't send the full chain as per https://github.com/natemcmaster/LettuceEncrypt/issues/229

MarkCiliaVincenti avatar Nov 13 '21 11:11 MarkCiliaVincenti

Same issue. .NET 7, latest version everything image

ghost avatar Nov 11 '22 21:11 ghost

Any updates?

SajjadToomari avatar Jan 31 '23 07:01 SajjadToomari

Any updates?

Use https://github.com/MarkCiliaVincenti/Tlscertificateloader with Certbot.

MarkCiliaVincenti avatar Jan 31 '23 07:01 MarkCiliaVincenti

I am also experiencing this issue, with the same error message of "The OnAuthenticate callback is not supported with HTTP/3".

The error message suggests that LettuceEncrypt will need to be reworked somewhat to avoid using that callback if it is to support HTTP/3.

The source code throwing the exception can be viewed here: https://source.dot.net/#Microsoft.AspNetCore.Server.Kestrel.Core/Middleware/HttpsConnectionMiddleware.cs,507

Dotnet 7, libmsquic 2.1.7, Ubuntu Server 22.04.1 (arm64).

judilsteve avatar Mar 21 '23 03:03 judilsteve

I hope this issue gets addressed, since I do not want to change to certbot again, but this is keeping me from using HTTP3 for quite some time now.

ArnimSchinz avatar Dec 04 '23 20:12 ArnimSchinz

I hope this issue gets addressed, since I do not want to change to certbot again, but this is keeping me from using HTTP3 for quite some time now.

Have you tried using https://github.com/MarkCiliaVincenti/Tlscertificateloader

?

MarkCiliaVincenti avatar Dec 04 '23 20:12 MarkCiliaVincenti

Without digging in too deep: Is it possible to combine both, so I must never even once use certbot?

ArnimSchinz avatar Dec 04 '23 20:12 ArnimSchinz

Without digging in too deep: Is it possible to combine both, so I must never even once use certbot?

No this library will not do renewals for you. But there are other .NET libraries that just do the renewals for you. I created this project for personal use but put it public so that others could use it. Personally used certbot and set it once and forgot about it.

MarkCiliaVincenti avatar Dec 04 '23 20:12 MarkCiliaVincenti