Custom HTTPS Dev Environment using .NET Core, Kestrel & certificates

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the use of HTTP by default has been increasing year-on-year across the world's top web sites to such an extent the HTTP probably won't be used that much if at all and they're not too distant future so as a developer you have a duty of care to understand and know how to work with HTTP within your local development environment in today's video I take you through how to set up a custom local domain that uses HTTPS for all your asp.net core web applications [Music] well hello wherever you are whenever you are free to my Melbourne Australia as usual and when is it it's July 2020 if I hope whatever you are and whenever you are I find you happy safe and well now as I said in introduction today's video is all about setting up HTTPS within your local development environment and you may already be doing that today using localhost but in today's video I show you how to configure a custom local domain with HTTPS in order to run your asp.net core web apps so that sounds interesting stay tuned just before we launch into the main part the video a huge thank you for stopping by if you liked the video maybe wait until you're a bit into it before you make that decision then please give it a like if you've not done so already maybe think about subscribing Bing the little bell and you'll get notified of all the new stuff type it up and to my patreon supporters who go that little bit extra huge thank you to you as well and of course as usual your names will be appearing at the end of the video but I think that's enough by way of an introduction let's jump into the video all right well welcome to episode 4 of season 3 and as mentioned today we're going to be talking about setting up HTTPS with your asp.net core apps so just an overview of today's tutorial just before I go on I will say the usual things if you want to jump straight to a specific section I'm going to overview in a minute there are links below but you can just jump straight to that part video ok saves you a bit of time if you don't want to watch the theory part of it and I have written a blog article as well so if you prefer the written won't jump over the banner the Lord jump over to the blog and take a look at that in the description below I've also put links to a couple of other articles which I think of link to in the blog as well if you want a bit of a deeper dive into the mechanics of HTTP and also public and private keys there's a great article I recommend you read if you don't really on standout filly we'll talk a bit about it in today's video but not in massive debt and as usual the code is available on github so yes I'm going through the overview right now I'll take a quick demo of what we're going to build in a minute and then I'll take you through the ingredients and tooling required to follow along then a very high-level HTTP overview just what HTTPS SSL and TSL are what certificates and authorities are and in app dev an interaction diagram on how HTTP hangs together well they move into the practical partner tutorial we'll scaffold up a very simple out the box.net core API we're going to use something called dotnet dev spouts to set up a local self-same certificate and then we'll talk a bit about the drawbacks of that hence why we're doing this video so they're moving on to the main part video which is custom domain setting up our custom domains or set user host files to do that we'll talk about the DHCP and we'll also create and install our self signed certificate try saying that after a few drinks just a warrant of is it warming I don't know but this is a Windows sort of centric tutorial so by that I mean we actually use PowerShell to create our certificates you can use other tools like open SSL to do exactly the same thing I'm just not covering that today so if you're our Linux or OS X user you may have to do a little Merv side reading on how you create a self-signed certificate in open SSL for example a might actually a fact if it can find a good article I'll put it in the description below as well for you next part of setting up our custom domain talk a bit about user secrets and configuration in general as well as HTTP redirection and then probably the most interesting part that you're told you were actually milord our self signed certificate for our custom domain will load it into the kestrel web server at the start of our application but our application starts should I see and then final thoughts and wrap up okay so let's move on and I'll give you a quick look at what we're going to be working with or what you'll end up with by the end of the video so what we're going to do is step by step we'll set up out the box where BPI donate core web api and if you've done that before you'll know you just get the standard template project the returns back randomized weather data in adjacent P Lord so we're just going to use that but the important point of this video is you're going to run that over HTTP using a custom domain so not using localhost but you may have done in the past but using a custom domain and those reasons which I come onto later why you would want to do that so just to give you a quick look at what you'll end up with HTTP obviously custom domain name in this case I've just decided to call it whether I or you can call it anything you like and then we just call it in the same way as we would otherwise but the important point is we have this custom local domain and our development environment clicking on the icon we can see you've got a secure connection and we have a valid certificate issued to where that I all by whether I also as a self signed certificate so that's what you're gonna learn in this video let's move on to the next bit okay so the ingredients you'll need if you're wanting to follow along with this video yes code text editor or any text editor but I do highly recommend vs called dotnet core SDK version 3.1 PowerShell to clear certificates and our web browser is all you will need if you want to use something like postman icon that's fine too so just one slide on what is HTTP hypertext Transfer Protocol secure so it's basically just regular old HTTP but with added security specifically data encryption and that data is encrypted originally it is encrypted using something called SSL Secure Sockets Layer and today it's now provided or should be provided by something called TLS which is transport layer security now all those things do is they encrypt the data it's the protocol to encrypt the data or HTTP the only reason I mentioned that here is you'll hear those two terms used interchangeably which may technically not be correct but you know like they are the same thing doing the same thing just doing in a slightly different way so all the views not called out you will hear people use refer to one when they really mean the other specifically they will really be meaning TLS not a accessable alright so let's talk a little bit about certificates and certificate authorities or certification authorities so what is a certificate first of all basically it just aims to prove the identity of someone and then that's someone in this case is a web selbo seeing I am where's Jackson calm he was my certificate to prove that I am Lewis Jackson calm and it's not some malicious man-in-the-middle masquerading as Larry Jackson calm now in order for this to work certificates aren't generated by the end points themselves they are generated by a third party trusted Authority called this certification Authority and there's a number of those hanging around today there are third-party companies that are trusted now in today's video just to contradict myself we are actually going to be issuing the certificate on behalf because we're just running in our local development the main so hopefully we basically trust ourselves but under Natalie out in the real world that would not fly you would need to go to a certification authority to get a certificate that you would then issue to your clients in this case web browsers so clients need to trust these authorities so you get a certificate it's been signed by some certification authority if you don't trust them then again the whole thing breaks down so you need to trust these people now Trust is nothing more complex than you know are these institutions are they secure are they free from you know interventions third-party oversight anything like that and instances some certification authorities have been breached that have had security incidents and basically what that meant was any certificates that the issued were invalid because you couldn't really then guarantee that they haven't been tampered worth or anything like that so Trust is absolutely critical in this whole dynamic so what does a certificate contain the go through this in more detail may come on tip practically it will contain the domain name and we're going to create a custom one today issuing authority so that'll just be whoever I was issuing it in Verisign or model and all these kind of guys what the certificate authorizes you to do so does it identify you as a client does it identify you as the sale or does it both issue an expiration date and as I mentioned before public and private keys we'll look at that when we talk about the interaction diagram and as I've said before I'm not going to delve into that too much today's video there's an excellent article that I've put in the description below that takes you through how that all works and I highly recommend that you take a look at it so just very high level what are Keys key is really just a long string so you can see on screen here the certificate that gets issued down to the client will contain the public key and you can see here is just a long string of a strong string basically and it's used to encrypt and decrypt the data now public keys as the name would suggest are shared with anybody so when you get a certificate down there's a client you were given that public key and you then use that public key to encrypt the data which you send back over the wire to the server now the only way that that data can be decrypted is using the private key so private keys are retained only by the endpoint they must be kept secret which we are going to endeavor to do here today as well and our demo and they are the only key that can unlock anything encrypted by the public key so so long as the private keys been kept secret and it's not been shared with anybody that's basically what gives you that secure connection certainly from our client to say what perspective the other way around obviously and the server will encrypt data back over the wire using the private key and anybody with a public key can then theoretically decrypt that data okay so just a little bit on how HTTPS works client and skc web browser server and web server obviously so HTTP connection that says a client will send a especially a bit of a handshake will send a hello message along with things like the TLS version that it can support a news cipher suites which are basically just to say of algorithms that it can support to encrypt data and something called the client random don't worry we're not gonna go into too much more level detail about it but it becomes relevant a bit later the server will then send back very similar type of handshake type information speed the basic just trying to agree on what we're going to use by way of the securing the connection so again it will send back what cipher suites it supports at this point it will also send back the certificate which contains the public key as well along with something called the salvo random the client random and the server random are basically just strings random strings as the name would suggest and these are usually so on in the interaction no don't let the client end we've just received a certificate now at this point this is when the browser will actually check its certificate store to see where that it trusts that certificate and we'll do that when we come on to actually doing the practical demo one short just here but basically it's just a list of people it trusts okay and assuming it trusts one of these issues that has issued the certificate in this instance will then send something called the premaster secret which is encrypted with the public key now remember when I was talking about public and private keys you've encrypted some data again that's really just a randomized data encrypted with this public key because you trust the certificate and the only person that can decrypt that data now is the holder of the private key in this case the server so the server will get this encrypted bit of data and will decrypt it using the private key and then at that point the two endpoints the client and the server using the client random the server random and this premaster secret and conjunction they've exchanged the number of bits of data now they will then create something called session keys which allows the aim for the secure flaw of traffic there were very effectively established a trusted secure connection and in the data just Falls between the two now really in terms of this video all we're really going to be really looking at is this bit here the the checking of the of the trusted certificate but I just thought it was worthwhile going through a bit of that interaction diagram a bit of a handshake establishing what they can use a bit of an exchange of data making sure the certificate is trusted and then data being encrypted and decrypted using public and private keys ok so we're going to go on and scaffold up the API we're going to use throughout the rest of this tutorial so I'll just move into my working directory on my D Drive and change into episode 4 so just before we get going a quick dotnet - - Belgium just to make sure you have dotnet core installed so running it's the point one which is what we want you don't have that then just Google dotnet core SDK download and follow the instructions so to scaffold up a new web api is dot net new and then we pick the template we want which is web api and we give that a name using the n flag call it anything you like and just going to call it HTTP test and that will go away and create our application for us ok cool so quick directory listing and you'll see the folder for our projects being created so I'm just going to open it NDS chord using chords - are to open it recursively and HTTP the name of our folder and that will open a project in yes chord we'll probably get a little pop up though you're asking us to restore some artifacts just click yes you'll only get that once all right now I'm not going to go through the the Web API in huge amounts of detail we're going to go through certain bits obviously in detail when it comes to the relevant sections but generally they're not going to go into like what control those aren't stuff I would expect you know that already if not I've done plenty of other videos on way API so check those out but what I'm gonna draw your attention to is this properties folder and the launch Settings JSON file and in here basically there's a number of profiles that basically tell an application how it's supposed to start at startup the pain they want where it started from so if you're running this from within Visual Studio it will pick a particular profile if you are going to run it as we are at the dotnet core command line the dotnet CLI it will use this profile yeah okay now before we run it up I just want to draw your attention to this line here we are we have a application URL and that's basically telling our kestrel web server which is our development web server how it should start and what it should start listening on and put address it should start listening on now you can see we have two entries one for HTTP starting on local host on port 5000 and likewise for HTTP local host on port 5000 and one I'm just going to take this out okay and you can see that we're separated by a semicolon so I'm just going to take the HTTP entry out control X and then ctrl s to save so make sure that's saved so what only we only have the HTTP entry so the HTTP entry and we've removed HTTPS so let's get our command line up and running and that was control apostrophe and it's the apostrophe key directly under your escape key and if we do a dotnet run to run up our web api it will go away and we'll run up and you can see now that occasional web server has started and it is no listening on localhost 5,000 again just to reiterate we removed the HTTP entry so control and then click on here and we'll start your default browser in my case I'm using edge chromium now saying the page can't be found because we do need to put in the name of the controller which in this case is weather forecast and all that will do is it will retrieve back some randomized where the data not relevant to today's tutorial but it's all working clicking on this little information I you can see that the site is not secure because we're just using HTTP that's all good all as expected nice so let's get rid of that that's ctrl C to kill our web browser to kill Carol and if we go back into our launch settings JSON file if we do ctrl Z that should put back under our last change which was to delete the HTTP entry we've put it back and make sure you ctrl s to save excellent and we'll try and run our application again not surprisingly we get a horrible critical error and if you take a look at the exception you can see we were unable to configure the HTTP endpoint nor silver certificate was specified and the default developer certificate could not be found or is over D so that is really important okay so what you can do and even actually tells you how to do it it says to generate a developer certificate run dotnet dev SERPs HTTP and in fact you actually have to run this one here dotnet dev certs HTTPS thrust so just copy that and what that does is will actually generate this developer certificate for use with localhost just before we run it I will bring up the certificate management to also take the set into your search box down here open up this management tool and this we're going to do better work in here as well and we're going to have a look at the various things in here throughout the tutorial now this section here trusted root certification authorities if you go in here and click on certificates when I was talking in the intro about trusted certificates this is where they sit okay now if we go down here and look for something called localhost we don't have anything like that I've got one called local shop which is what I created for another project ignore that for now but there is no certificate trusted root certificate for our localhost okay and that's why we're getting this error right so if we go back down to our command line and we paste in that command dotnet dev sells HTTP - - trust you will get the security warning and what seeing is you are about to install a certificate from a certification authority claiming to represent local host so it's a self saying certificate that we are basically running ourselves and saying we are authorizing local host to to run on local host and do you want to install a certificate yes we do now if you go back over to our self man plug-in and do a refresh and scroll down you will see here that as if by magic we have this new certificate installed allows sailboard authentication and the friendly name if we just extend that a little but actually let me open up this means running it too high a magnitude if you go to the certification path we can see it's an asp.net core HTTP development certificate which is what that spring was there we can see what authorized to identify ourselves on a remote computer so when I was talking earlier about certificates are allowed to do certain things that's what I was talking about if we go and look at this other one actually it will have ensures the identity of remote computer also has proves your identity to it so slightly different anyway and this is the one we've created that sort of development certificate issued to local host by local hosts or self signed now if you do aapki up key dotnet run everything's running and you can see here we're now listening on HTTP or control-click it will again feel because we need to put in the name of our control us or weather forecast this time it works and we have the secure padlock connection is secure running on localhost certificate is valid and again clicking on that will just bring up the valid certificate now you may be wondering that's great isn't that all we need actually do you know what yes it is no for the most part this is all I ever use and it works fine the whole point of this video though it came about or tell you the genesis of it I was using another piece of software legend which I'm making another video for they're required to put in the domain name of an API endpoint in this case it was we're going to route through to it now use localhost and the whole thing didn't work and doing a bit of reading into the documentation of a solid piece of software it said that localhost was not an acceptable domain name to put in in this instance you had to either put in an IP address or a valid domain name so that's where this video came about from localhost as R as a domain name can be treated differently by web browsers on other applications it's a kind of special edge case tapered domain name and in the case of the application or the software I was using it wasn't an acceptable domain name to use it neither the proper demeaning hence the reason for lesson video so in the sections of follow we're going to go with that school dev search as excellent but now we're actually going to come on to create custom local domain create our new certificate which is a little bit more complex and what we just saw there install it and load it in to cache cool okay so the first thing we want to do by way of creating a custom domain is to update our hosts file or local host file what is a local host file I hear you say let's open up and it's probably easier for me to explain it that way rather than doing upfront now that we're going to open it in notepad just a regular old nor pad but you'll see here I want to run notepad as administrator because we won't be able to update the horse file if we're not running as admin so file open now I'm already at the correct location because I've been playing around with this obviously but for yourselves on Windows find your windows directory usually on the C Drive system 32 drivers et Cie and just make sure you have all file selected now you'll see here there's a look spot looks like a couple of horse file if you have this one here dot ICS that's or internet connection shading or something like that do not update that one it's the other one we want and I don't believe it's even got an extension so we'll open up that and take a look and you can see here that I've got darker installed you can see here Dockers actually put in I mean a couple of entries for itself and what you'll see is the IP address of the local machine my PC in this case and then this internal domain name that it wants to use and it's got another entry there so we're just going to do something exactly the same first thing we need to do is find the IP address which is actually this to be honest with you but I'll just to show you how to do that in the interest of completeness so on windows IP config now if like me you've got VirtualBox and darker installed you'll probably have a lot of different network LAN adapters make sure you pick the right one and in my case I'm going to pick the physical wireless LAN adapter and you can see here here's the IP address which should probably look familiar from the host file and we'll just paste that in here and then we can give it a demain name anything we want so I think we said we're going to use weather dot IO and that's it so just make sure you save the file and that's how it's got an entry in our local host file now the only thing to bear in mind here is that if you're like me you're using DHCP which is dynamic host control protocol from time to time the lease as it we're on this IP address may expire and the piece even it next time it connects to the network it may get a new IP address now that doesn't happen usually every day that will happen once every least speed what that whatever that happens to be three months six months or whatever and you may get the same IP address back but you may not so just be aware that the IP address you put in your host file may change and sort of things stopped working just check your IP address like we did previously cool so the only other thing we need to test before we move on to creating certificates is just to do a quick ping test so ping where are you and there we go it's resolving to our local IP address we're getting a response back we're all good actually just before we do move on to creating certificates at that one the whole reason for being in this blog article onto the screen is just to quickly talk about horse named resolution order now likely that there for me that a ping test the first thing the PC will do is check to see whether its local name is being used and it will resolve to the IP address that way if it doesn't if it's not this local name its own name then it will look in the horse file like it happened we can happen there and that will resolve it to the IP address we gave it if not then it will go to the DNS servers that your ISP is using and then it will try and resolve whether I all out there in the real world and then in Linda's case a user something called NetBIOS which is and I will throw back to Windows NT days which you don't need to talk about the only reason I'm really mentioning that is just be aware if you update your horse file then it comes before your DNS server check so you could potentially end up with some really weird results if you're not very careful so just I wanted to call that I would just be careful in terms of the order of the cut of DNS name to IP address other than that I think we're ready to move on to looking at sort of tickets now alright so the next thing we want to do is actually create our certificate now we're going to do that using PowerShell so it's important that you have PowerShell available now you have to run your PowerShell session as an administrator won't allow you and Sue me that you had to run notepad as an administrator tardy or Horse file you have to run your PowerShell session as an administrator as well now I'm using this thing called Windows terminal so I'll just search for it again right click run as administrator click yes and then we've got to type in a number of commands to January or certificate which is what I'm going to take you through another so we're going to make use of local variables because it's a multi-stage process or these variables just help us out so the first one we're going to create is to hold our certificate so that equals new self signed certificate and this is this powershell commandlets to no surprises january in use help saying certificate and a few flags we have to pass in here so SAP store location just give it the location set backslash local machine my SATs just basically a path to I've still have it running I should I don't understa close to them in between takes yeah it just gives our path to way our certificate it's going to sit but more importantly we want to specify a DNS name and this is where we specify where they'll die or whatever custom domain you want it so basically saying you want a new self signed certificate want at this location and this is the DNA theme that we want to verify it for in this case where the tile so until that will go away and create that if we just sort of look at the variable you can see that this certificate is now being created and there is a thumbprint associated with it subject which is basically the DNS name and a number of things that allows us to do now at this stage interestingly where that actually goes it goes into this intermediate let me expand that so you can see it intermediate certification authorities certificates and we scroll down here you can see it's being created down here but we're not quite finished yet it's not now you can see you it's not clustered yet so we need to move this into our root certification authorities but we've got a couple of other things that we need to do before we do that all right so we've got within this intermediate stage at the moment so the next thing we want to do is password protected now as I said before as a consumer or as soli who's given this certificate when you make an HTTP request you'll have access to the public key but there is also a private key associated with it as well that we need to make or keep secure and we secure it using it password okay so that's what we're going to do next so another variable password and we're going to use another command late-- called convert - unfortunately there's no intellisense or auto-completion here all those I don't think that is convert to secure a string string and we'll just give it passwords to make sure you remember what you call it and it's in between double quotes force as plain text okay come on that should create a password for us again stored in this password available we already have our cell created as well next thing we want to create is a set path so we use this in our final command when we do our export source out and again it looks quite similar to what we've already specified above set local machine local machine my I could I could have just cut and pasted this in I didn't want to do it I wanted you to share my pain and so we then here specify dollar sign making this nothing where things are and then we provide in the actual sales or game dollar sign set to reference that and then we want to reference this phone print so just making a copy that okay so on print source object already oriented notation and that will create our path very important the one over write ourselves so this is our certification path and again we're passing in the full name of our certificate using the thumbprint so that all looks correct passed out and if you have a quick look at that it will give you yes sir local machine my and then the name of the font awesome and then finally all we want to do is export the certificate there for use and we can use it in various other places so I get last command let export and this is a pfx certificate what is the cert we'll be passing the cert path and then we pass in where we want to export it to so I'm just going to export it into the root of my ID drive for the moment and I want to give it a name and we'll call it where the pfx and most important maybe provide this pass one so that we created previously and we pass that in so let me just double check that before I hit enter on make sure it looks correct export pfx certificate we pass in the certification path where we can find that certificates yeah no it's good if you pass any file path we want to export it to any give it a password cool and that all looks good so if we go back to my D Drive actually to school the command line you should see this where that pfx certificate file if you want to have a quick look at that on here you will see we have a weather pfx file ready to be used by Kestrel ingest in and then we will start issuing HTTP traffic using that certificate on our local custom domain and all do that next all right so just before we move on to coding something very important that we do need to do before that is to make sure that this certificate or self st. certificate is actually in our trusted root certification authorities so very simple to do very easy to do just right-click certificates all tasks import next browse to our our file name and we can see here that we need to change this to the pfx type extension select where the pfx open click next now this is what I was saying before about the private key we want to make sure that as the owner of the private key the salvo in this instance we keep that secret now if you remember when our client our web browser sends those information they encrypt it using the public key and the only person that can decrypt that information so really sensitive information like credit card details or although personal information is the person with the private key so that's why we have to keep it safe and secure and password protected okay so this someone else get the hold of this certificate it means they can't just install it on your server they have to know what the password is all right so we can remember the passwords looks correct keep all other options the same you can select where you want to import it to but because me right click from here it has the right location which is good and we just click finish and you'll get a very similar warming like we got with the dev search tool just click yes important what's successful so in our trusted root certification authorities we should have whether I all open it up and it proved proves your identity two or more computer ensures the identity of remote computer issued by whether I all issued to where thy or all good all right site is up and running that now we can move over to our API and do a little bit according to make use of this sorta to do all right so let's move back over to our API project now the next thing we're going to do is use something called user secrets now I felt it was appropriate to use user secrets as part of this tutorial because what they allow you to do is keep certain bits of information completely secret to you as the developer on your local development workstation and why am I talking about this well when we come to ingesting the certificate that we've just created into kestrel we need to supply the password like we did with their port and to the root certificates thought now we could store that password as plain text in app settings JSON or app settings development JSON but that's really really bad practice because it means anybody who has access to your source code has access to your certificate password and then tom has access to your private key really bad idea of so even in a development environment I think it's really worthwhile getting into the practice of making sure that you use user secrets to well off that information into a location that's accessible only to you as a developer in terms of your fighting system so it's basically it's just a JSON file it's still plain text but the only person that can get to it is you based on your windows login profile okay so very important and I think we should adopt it here so while it's not strictly necessary to get this working in terms of best practice I think it's something we need to do so enough of my rambling let's move over and get it working so move over to the CS proj file and then here we need to add a couple of tags use our secrets ID and we will paste that in and close off make sure you terminate that now what we need to put in between these tags as a unique ID and you'll see where this comes into play in a minute now you can do this in a number of ways you can just Google generate gooood but I've actually installed a little extension and Visual Studio called and said good it's very useful I recommend you use it if you want to and the way you use that is you just place your cursor in between these two attribute tags here hit f1 type insert good select it and you can see it generates automatically generates a list of goods for you fantastic so we'll save that off and now you're going to find me to do that let stick a pin in it for a moment welcome back to it so basically what this is saying is we've got a unique ID for our project and our and followers or secrets and then the next thing and the final thing we really have to do is use the user secrets management tool to generate a user secret so dotnet user - secrets set and then all we do is give it a key or name so we'll call it sir password that can be of course anything you like and then we give it a value which will be a password or should be a password and you can see everything is in double kourt's so just to go over over again dotnet user secrets which is this user secrets management tool and we're going to set a new user secret hit enter and you can see here we have successfully saved this user secret OB to the secret store so when is the secret store right here you add great question so let's just open up Explorer make sure you have hidden items tickets because it is in a hidden folder so C Drive windows no it's not C Drive users that's right and in my case lies J that's my particular user ID app data so this is the hidden folder roaming I think it's Microsoft Nix the really testing my memory here and then use our secrets there we go user secrets may be cool so just to go back over that again C Drive users folder whatever your personal you know pull file folders and that means any data under that is unique to you so someday else loads into this PC using a different username they will not have access to this data okay unless you give them your password which I don't recommend you do so yes there's J app data which is hidden roaming Microsoft user secrets and then you can see here there are a lot a number of different good named folders and no surprises you couldn't imagine that in each of these I have a different Secrets JSON file for all the different projects I've been working on so if we just go to this one here which is 2 8 c 7 and we find that it is here and we open this up in i don't know so probably but you'll cord you can see here sequence jason there's just one key in there one key value pair in there set password - password excellent so that's user secret set up in terms of retrieving that will come on to that next so actually just before we come on to doing the using the user secrets in our cord we do actually need to add another config element now this time I'm going to be I'm just going to put it into one of our app settings JSON files because it's not a particularly secret bit of information so all it is is the path to our certificates or that don't you you can remember that we had our weather certificate here in the root of my D Drive we just need to provide the path again when we're coming to ingest the certificate int occasional we need to give it a final path location no there's nothing to stop you from adding another user secret and putting it in there nothing are told to stop it but in my view that's not really a secret bit of information so I'm going to put it into one of my app settings JSON files and all I'm going to do is put it into because we're really focused in this tutorial within a development environment I think it's worth appropriate not appropriate putting it into the app settings development JSON file it's not a production bit of config so all in app settings development Jason just a comma in there and we're going to create a new again can you value Pierre and we'll call it set path and we'll just give it the path value in this case D Drive got to do a double backslash to escape it in jason and just the name on the file pfx so let's just go back into go sub D anywhere the pfx okay cool all right so we'll save that so basically we have got two bits of config path of our certificate and the password of our certificate which are both stored in separate configuration resource locations all right so the next bit in the final bit of our project as we just need to update record to ingest the certificate that we've created now there's a number of different ways you can do this I've gone for this approach I think it's the most simple straightforward approach I think it's relatively easy to understand and it works so that's why I'm leaving it so we're going to do all of our work in our program of class which is quite unusual I don't usually do a lot of work in the program class but I do want to update this create horse builder method and that's basically if we don't override the defaults that we usually get cached also instead of using the default development certificate for localhost we're going to tell it to use our new certificate now before we do that this is kind of optional but I just think it looks a bit nice so we're going to create a base simple static class just to contain or to config elements so public static class call it horse config and it's just going to contain two properties string and we'll call it sir path and I'll actually need to make it static and another property plot for the short key another string goodness it's actually quite cool tío we're going in to block the island in the middle of went off my hands are called that's my excuse anyway and then set fingers can't move properly start password and again we need to make that static as well okay cool so just on the floor any simple class we're going over then read in our config and populate a horse config class with those elements okay so the next thing we want to do as I said is we want to read in our corner figure make it to config elements one in secrets Jason and the other one in app settings Jason though the great thing about the dotnet core configuration API is that you don't actually have to specify that ones and user secrets that one's over an app settings Jason that one's an environment variable you don't need to specify that all you need to specify is the key value of your config item and the dotnet core API can have figures out the rest now there is an order of precedence in which the configuration API will read in config elements I'm not going to go into that today but assuming you've called them different things you shouldn't have any issue so over here in again still on our program CS class we are going to move over to our create horse build or method I'm just after create default builder we are then going to add in another method here configure services which probably sends kind of similar you may remember or you may know that you have a configure services method and I'll start up class usually but we're going to add one in here as well and we just need to provide a couple of expressions in here context and services this is a lambda we're going to use a lambda expression going forward to back here context and and we'll access these expressions in a minute so lambda expression you can get it right totally back it's and then in here you going to assign we're going to read in config and we're going to assign it to our static horse convict class so first of all we're going to say it was config and we're going to say set path we're going to set set path equal to no we do is we make use of our context here and what that does is that gives us access to our configuration the configuration API and then obviously something do is specify the key that we want to be then now as I said the cool thing is we just need to supply this year we don't need to specify anything else the configuration API works everything else out which is really really really really cool so just to go over that again we've created that configure services method we are using a lambda expression to access context that context gives us access to the configuration API and we're going to read in the setup path and that's all we need to specify and we're going to assign that to a little static class here that contains the set up path and then a very similar we will use our horse conflict class and the state passwords equals context configuration and then we pass in the name of the key know what wasn't the name of the key who's probably something like so past what wasn't it let's let's go again unless I know it will have opened so users is J app data roaming nakedness Microsoft user secrets and which one was it to e7c to e7c there we go and then you open up with a chord what did we call it sir password okay copy that in and you can get at that so moving back over to the program we just provide that key so again it's really cool you know you've got these all these different configuration sources but you can the configuration API just resolves it and reads in excellent so we're now got access to our config elements final thing we need to do now is just move into our confederal web host defaults and just overwrite some of our defaults with these settings all right so the last thing we need to do is configure cache tool to use our custom certificate or self signed certificate so we do that within configure where post defaults now before we do the cord just remind you that in launch settings Jason we had this application URL attribute with our options in telomere telling Carol what airport to listen on what protocol to use for that port and also the fact that we're using local host so just bear that in mind because we're actually going to overwrite this config here with what we're doing in our program class and you'll see how that manifests when we run up the application call so back over in configure we're post defaults we're going to a call the configure kestrel method here we go and into that we'll pass an option couple options to configure Carol now the first thing we're going to do is configure our HTTP endpoints or opt now to begin with I'm going to use this method but don't worry I'll come back and tie the up in a second we're going to listen on any IP address so we're not specifying what IP address we want Carol to start we just seeing any IP address listen on port 5000 that's good enough and we will come back in with the fix up with a specific IP address but I just want to do this bit first and then an expert we want to configure is our HTTP endpoint so again listen on any IP address port 5001 this time and we want to pass in some additional listener options or an additional listener option these boxes are good they can get quite on point so just to go out again listen on any IP 4 port 5001 passing in the listen option and what is that that is use HTTP and no actually just fought over and reuse this box it will configure up Carol to use HTTPS with the default certificate if available and also are an exception if it's not available no we're not going to do that we're going to actually pass in our custom certificate so the first thing we need to supply is the path to that sort of ticket which is just held in this bit config and then the next thing we want to do is pass in the password now again this is kind of again speaking to security and the fact that we stored our password and user secrets and we've fader int our config and it's completely secret so it's good secure something in terms of the development environment so that's basically it for now we'll come back into a cup-like tidy ups but that's basically it let me just change back into the right directory let's just look for ok and let's do it run I'm just going to make this a little bit larger so you can see what happens next run and it runs but we get this warning now what the warning is it seems overriding the addresses localhost 5000 then one on HTTPS and localhost 5,000 and because we have as I've said configure that in our program class but nonetheless it runs up now you'll see what it's listening on because we specify I listen on any IP address you can see here and for both five thousand and five thousand one that yeah that's reflected here it's listening on any IP address but nonetheless it should still work so if we go over here I had one trip here earlier let me take that out and let me go home and kind of ruin the supplies it'll be a bit like let's let's try it again HTTP we're there I all it's prefilled it so whether I or port five thousand in one but it all works really nicely and if you click on the little padlock icon and click on certificate there's our certificate and you know issued to whether I will buy whether I all so we're now got a nice custom domain running a novel called available environment so that all works you could leave it there for now two things just to circle back on number one is HTTP redirection so if we go over to a startup class you will probably have noticed if you've done a bit of asp.net programming that within configure one of the standard things you tend to get now is this use HTTP redirection and that means of basically as it sounds if we try and hit the HTTP endpoint I notice is starting to play up a little bit of the batteries running on it HTTP on port 5000 and hit enter all that will happen is we will be redirected back to the HTTP endpoint so it's completely secure so you probably going to see more and more of that as we move forward in our lives now the only thing I do want to circle back to know wasn't going to do this so I was just going to leave that because all works but I felt I don't feel comfortable not doing it we listened on any IP address no yeah it's okay it works but I'm going to show you a very rough and ready way to actually specify the IP address that we should be listening on so we're going to create a host we're going to use DNS probably won't have that namespace so it's going to do that but let me just fill out the rest of it anyway get lost entry and we will pass in though we probably would want to store this in conflict but I'm just going to hard-code it in for now this was a bit of a last-minute addition and this is not correct so go to D n s not b NS d NS now it's not resolving so put your cursor and DNS control and period and you'll get a list of things to resolve and we want to do this using system dot name and that all this also basically all this does is it uses this method here to our users DNS class to get our hosts entry name for this host here and put it into host and then all we need to do is change this listen any IP or comment out so you can see how that looks a bit different opt instead of listen any IP we're going to listen and in to that you will pass an IP address and the port so we're going to use our host IP address list now this is where it's a little it's not that finessed in this case you could have one or more than one IP address I'm just going to hard code in the zero index which is the first address that will be returned back and then put 5,000 so again this is not really production level chords but it's just showing you how to get the IP address for our custom demean and listen on that address rather than listen any for this one it's pretty much the same so we'll just do listen and people pass in the same thing yeah you should be good common you should be good alright cool so we're listening on a specific address know that we've derived from getting our hosts entry now again you would you would want to put that in a config element I'm sure okay so let's just do a dotnet run just to make sure it looks okay indeed it does now you can see the difference this time from a previous one where it was just listening on any IP address you can see now is actually listening on the IPA this and that we won no hopefully back over here we can just do a refresh and all works fine all right so we are done for yet another video this video wasn't when I was actually intending to make it's almost in response to another video that I was making and I came across this issue and I needed to resolve it and while it's not the most complicated thing in the world it took enough of my time up but I thought well it's probably worthwhile making a little video on this just to cover it off in case anybody else is having the same issue or just in case you want to learn about it anyway as usual if you like the video please give a like if you've not done so already find it you subscribe to the channel and click the little bell and you'll get notified when I put new stuff up if you don't want to do that that's cool though I don't mind but thank you for watching again to my wonderful patreon supporters your names are coming up next until then stay safe stay well and I will see you next time [Music] [Music] [Applause] [Music] [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music]

Info

Channel: Les Jackson

Views: 34,607

Rating: undefined out of 5

Keywords: dotnetplaybook, les jackson, .net core, c#, https, kestrel, configurekestrel, step by step, tutorial, certificates, ssl, tls

Id: 96KHOaIe19w

Channel Id: undefined

Length: 61min 33sec (3693 seconds)

Published: Thu Jul 16 2020