Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS ALPN certificate generation failing on Windows #101

Closed
ghost opened this issue May 27, 2020 · 4 comments · Fixed by #110
Closed

TLS ALPN certificate generation failing on Windows #101

ghost opened this issue May 27, 2020 · 4 comments · Fixed by #110
Assignees
@natemcmaster
Labels
bug Something isn't working
Milestone
1.1.0

Comments

@ghost
Copy link

ghost commented May 27, 2020

Describe the bug
Generation of the TLS ALPN certificates is failing on Windows due to a known issue in SChannel which prevents Kestrel from correctly loading the private key for the certificate.

Additionally, as there is no way to disable TLS ALPN challenge support, certificate issuance fails even though the HTTP challenges succeed.

System.ComponentModel.Win32Exception (0x8009030E): No credentials are available in the security package
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint, Byte[] clientHello)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection.ExecuteAsync()

To Reproduce
Steps to reproduce the behavior:

  1. Using version 1.0.0 of the library LettuceEncrypt
  2. Run the sample code on Windows 10 build 19041.
  3. Certificate issuance will fail with the exception above

Expected behavior
The certificate should be issued correctly

Additional context
Possible solutions include

  • LettuceEncrypt could use the suggested workaround to prevent the exception from happening.
  • LettuceEncrypt could detect that this error has happened and disable TLS ALPN support.
  • LettuceEncrypt could provide a configuration option for disabling TLS ALPN support.
@ghost ghost added the bug Something isn't working label May 27, 2020
@natemcmaster natemcmaster mentioned this issue May 31, 2020
Merged
@natemcmaster
Copy link
Owner

Ah, this bug again. #110 applies the workaround.

LettuceEncrypt could provide a configuration option for disabling TLS ALPN support.

Besides this bug in Windows, do you have any other reasons why you would like to disable this? I considered adding API for this, but in the interest of keeping this project as simple as possible, I'm deferring adding until there is a compelling need to allow users to manually control which kinds to ACME challenge types are used.

@natemcmaster natemcmaster added this to the 1.1.0 milestone May 31, 2020
@natemcmaster natemcmaster self-assigned this May 31, 2020
@natemcmaster
Copy link
Owner

This fix is available in this prerelease build: https://dev.azure.com/natemcmaster/github/_packaging?_a=package&feed=github%40Local&package=LettuceEncrypt&protocolType=NuGet&version=1.1.0-beta.48.

If this does not resolve the problem, please let me know and we can revisit. This will be released to nuget.org in the 1.1.0 update later in June.

@ghost
Copy link
Author

ghost commented Jun 2, 2020

Thanks for the fix @natemcmaster. I've run this build up and confirmed that it works correctly with ALPN certificate generation on Windows 10.

@natemcmaster
Copy link
Owner

Thanks for confirming!

@ghost ghost mentioned this issue Jun 19, 2020
Closed
@natemcmaster natemcmaster mentioned this issue Jun 13, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@natemcmaster natemcmaster

Labels
bug Something isn't working
Projects
None yet
Milestone
1.1.0
1 participant
@natemcmaster