asp.net core - Kestrel Fails TLS Handshake after Attempt to Download Intermediate Certificate Fails

Question

Kestrel's web server is timing out, saying Connection Closed, after loading a publicly-signed SSL Certificate.

Background - we have a docker container that hosts a dotnet 3.1 webapi/react app, where the user can upload a custom SSL certificate. The PKCS#12 certificate is stored in our database and bound at startup using .ConfigureKestrel((context,options)) and options.ConfigureHttpsDefaults(listenOptions=>{listenOptions.ServerCertificate = certFromDatabase; }). This has been working flawless.

However, the problem now is that a user is attempting to run this app in a restrictive firewalled environment and is receiving HTTP connection closed errors when attempting to access Kestrel immediately after loading a new certificate and restarting the app.

Whenever Kestrel receives an incoming request, it begins attempting to download the intermediate certificate from the certificate's CA's public CDN repository via http on port 80. It appears to be using the URL from the Authority Information Access portion of the certificate. Since the firewall is blocking this, it retries repeatedly for about 20 seconds, during which time the client's TLS handshake sits waiting on a server response. When the server eventually fails to fetch the intermediate certificate, it cancels the TLS handshake and closes the connection.

I can't figure out why it's attempting to download this certificate, considering the same certificate is embedded in the PKCS#12 PFX bundle that is bound to Kestrel. Am I supposed to load either the root CA or intermediate into the CA trust folder in file system? (Ex. /usr/local/share/ca-certificates/ - I can't load the intermediate there, only the CA?)

public static IWebHost BuildFullWebHost(string[] args)
{
    var webHostBuilder = GetBaseWebHostBuilder(args);
    return webHostBuilder
        .ConfigureAppConfiguration((context, builder) => { [...] })
        .ConfigureLogging((hostingContext, logging) => { [...] })
        .UseStartup<Startup>()
        .ConfigureKestrel((context, options) =>
        {
                var sp = options.ApplicationServices;
                using (var scope = sp.CreateScope())
                {
                    var dbContext = scope.ServiceProvider.GetService<DbContext>();
                    var cert = Example.Services.HttpsCertificateService.GetHttpsCert(dbContext); 
                    //this returns a new X509Certificate2(certificate.HttpsCertificate, certificate.Password);
                    
                    options.ConfigureHttpsDefaults(listenOptions =>
                    {
                        listenOptions.ServerCertificate = cert;
                        listenOptions.CheckCertificateRevocation = false;
                    });
                }
        })
        .Build();
}

question from:https://stackoverflow.com/questions/65926215/kestrel-fails-tls-handshake-after-attempt-to-download-intermediate-certificate-f

Answer 1

Waitting for answers