Skip to content

Tidy up some irregularities in certificate reloading #46819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Mar 1, 2023
Merged

Tidy up some irregularities in certificate reloading #46819

merged 9 commits into from
Mar 1, 2023

Conversation

@amcasey
Copy link
Member

@amcasey amcasey commented Feb 22, 2023

Tidy up some irregularities in certificate loading

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Address some issues that arise when certificate configuration changes happen while the server is running.

Description

While validating #46296, I noticed some irregularities in the way certificates are reloaded when (e.g.) appsettings.json is changed while the server is running.

  1. If you start with the dev cert from the store and then light up, in sequence, the Development certificate, the Default certificate and an Endpoint certificate, each replaces its predecessor. If you then remove them in the reverse order, the Development certificate doesn't go away when it is removed from the configuration. This was because the KestrelServerOptions.DefaultCertificate wasn't being cleared. To improve clarity and address this issue, I've split out the possible sources of the default certificate - this makes the precedence explicit and allows the state of each to be managed separately.
  2. If you change the password of an endpoint certificate to an invalid value, reloading the configuration fails with an exception. Unfortunately, the endpoint has already been removed from the list, so when the password is correct, there's no record of it and the creation of its "replacement" fails because the port is already in use. I've deferred the updating of the endpoint list until after the dangerous parts of Reload have completed. (It's still not atomic, but failures in the actual state change code are too unlikely to justify additional complexity.)

@ghost ghost added the area-runtime label Feb 22, 2023
amcasey
amcasey commented Feb 22, 2023
View reviewed changes
amcasey
amcasey commented Feb 22, 2023
View reviewed changes
src/Servers/Kestrel/Core/src/KestrelServerOptions.cs Outdated
Copy link
Member Author

@amcasey amcasey Feb 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I split this out because I think it's nice to have invariants on the value of DefaultCertificate - in particular, that it's only set if IsDevCertLoaded is true. I could live with letting tests set the real one if people feel strongly.

Copy link
Member

@Tratcher Tratcher Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So DefaultCertificate should be renamed to DevCertificate?

Copy link
Member Author

@amcasey amcasey Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The naming isn't really consistent. At this point, it's the developer certificate retrieved from CertificateManager (or null).

Copy link
Member

@Tratcher Tratcher Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you added these other properties to distinguish where the cert is coming from, it does make sense to rename DefaultCertificate to DeveloperCertificate.

amcasey
amcasey commented Feb 22, 2023
View reviewed changes
@build-analysis build-analysis bot mentioned this pull request Feb 22, 2023
Open
5 tasks
@amcasey
Copy link
Member Author

amcasey commented Feb 23, 2023
edited
Loading

CI failure looks legit - locally I have a dev cert in certmgr, but the CI machines don't. I'll figure out how to add that backstop to the tests.

Edit: fixed

Tratcher
Tratcher reviewed Feb 24, 2023
View reviewed changes
@build-analysis build-analysis bot mentioned this pull request Feb 24, 2023
Closed
5 tasks
@amcasey
Make certificate precedence explicit
7abc89c 
1. Values from the user
2. Values set explicitly for test purposes
3. Values from IConfiguration
4. Values from CertificateManager

Note that these are all stored in separate places, so it's possible to "undo" changes if one goes away.

Also, make clearing of the IConfiguration cert on reload explicit.
@amcasey
Don't update ConfigurationBackedLoaders until reload succeeds
a89fe8d 
Otherwise, a configuration error - e.g. a bad endpoint certificate password - could cause it to be left in a bad state, causing issues during subsequent reloads.
@amcasey
Test certificate updates on config reload
9438e04
@amcasey
Test setting a bad certificate password in config
631512c
@amcasey
Hack around possible absence of dev cert in store
612904d
@amcasey
Use IsDevCertLoaded to bypass the cert store entirely
0ecec6d
@amcasey
Don't drop untrusted certs
7e5e531
@amcasey
Fix CanReadAndWriteWithHttpsConnectionMiddlewareWithPemCertificate
7d142a2
@amcasey
Copy link
Member Author

amcasey commented Feb 27, 2023

Force push is a rebase resolving (test-only) merge conflicts with #46868.

Tratcher
Tratcher approved these changes Feb 28, 2023
View reviewed changes
src/Servers/Kestrel/Core/src/KestrelServerOptions.cs Outdated
Copy link
Member

@Tratcher Tratcher Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you added these other properties to distinguish where the cert is coming from, it does make sense to rename DefaultCertificate to DeveloperCertificate.

@amcasey amcasey merged commit 95ed45c into dotnet:main Mar 1, 2023
@amcasey amcasey deleted the CertLoading branch March 1, 2023 00:26
@ghost ghost added this to the 8.0-preview3 milestone Mar 1, 2023
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tratcher Tratcher Tratcher approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

@mgravell mgravell Awaiting requested review from mgravell

+1 more reviewer

@dougbu dougbu dougbu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Milestone

8.0-preview3

Development

Successfully merging this pull request may close these issues.

4 participants

@amcasey @Tratcher @dougbu @BrennanConroy