EndpointCertificate in ApplicationManifest not being used when starting Kestrel server

Question

I was following this article to try and get an https endpoint running with the certificate specified in the manifest.

So far I have only tried this on my local dev cluster through VS so I don't know if that is the problem, it is possibly also important to note that the target cluster for this is a standalone cluster.

Anyway, when the service tries to start up, it comes up with an error:

Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.

The relevant sections of my manifests look as described in the link:

Service Manifest

  <Resources>
    <Endpoints>
      <Endpoint Name="EndpointName" Protocol="https"/>
    </Endpoints>
  </Resources>

Application manifest:

  <Policies>
    <EndpointBindingPolicy EndpointRef="EndpointName" CertificateRef="TestCert1" />
  </Policies>
  ...
  <Certificates>
    <EndpointCertificate X509FindValue="ad a5 9c 03 44 5a 40 1a 5e 2d f2 72 24 93 30 e8 b0 85 b0 bb" Name="TestCert1" />
  </Certificates>

The code that runs on the kestrel startup looks like this:

protected override IEnumerable<ServiceReplicaListener> CreateServiceReplicaListeners()
  => new[]
  {
     new ServiceReplicaListener(
        serviceContext => new KestrelCommunicationListener(
            serviceContext,
            "EndpointName",
            (url, listener) =>
            {
              ServiceEventSource.Current.ServiceMessage(serviceContext, $"Opening on {url}");

              return new WebHostBuilder()
                  .UseKestrel()
                  .ConfigureServices(
                     services => services
                        .AddSingleton(serviceContext)
                        .AddSingleton(StateManager)
                  .UseContentRoot(Directory.GetCurrentDirectory())
                  .UseStartup<Startup>()
                  .UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.UseUniqueServiceUrl)
                  .UseUrls(url)
                  .Build();
            })),
  };

Everything was working fine when I was just using HTTP. Any ideas on what I am doing wrong?

Also, is this mechanism supported? The reason I ask is because I also found the type definition for the endpoint that says not to use the "Certificate" property as it is not supported

Answer 1

Your Application Manifest looks fine, that's how I would configure an HTTPS endpoint for a WebAPI in Service fabric. I haven't configured with Kestrel, but the error you got looks like a wrong config issue.

I hope this helps. Here's a tutorial from Microsoft with a different approach. Add an HTTPS endpoint to an ASP.NET Core Web API front-end service using Kestrel

Answer 2

This is the same issue I'm walking through while trying to convert my web stateless services from net47/httpsys to net8/kestrel.

If you follow the newest MS guideline (as said above) you never encounter the need to deal with the /ApplicationManifest/Certificates/EndpointCertificates (and the relative /ApplicationManifest/ServiceManifestImport/ResourceOverrides/Endpoints/Endpoint) in order to declare and bind the https certificate to the service needing it.

If you are converting existing application the question is:

• do I need to keep the certificate declared and try to lookup using the SF Api?
• or is it better to clean up everything and resolve the certificate lookup just internally to the service?

I'll try the first scenario but I'm ready to switch on the second one if I'll stuck after a couple of hours.

You can find here and example of what I mean: https://medium.com/@stevenhoang/enable-https-endpoint-for-service-fabric-application-8e82528df348