Skip to content
loading...

Hosting a .Net Core App with Nginx and Let's Encrypt

Ian Knighton on May 07, 2019

In the last post, we built a simple .Net Core application to handle payment processing for our event registration. It works like a champ on our loc... [Read Full]
markdown guide
 

Thanks so much for this. I've just had a need to do this, and pulling together the mishmash of documentation and working out which bits are wrong has been tiring. Your guide worked for me from start to finish first time.

By the way, you haven't swapped out a placeholder value in the nginx config for 443 server_name.

 

Good catch!

Also, glad I could help. I found the Microsoft docs to be lacking in a real world setup. So I kind of just pieced it together the rest of the way.

 

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...

 

Hi Ian,

Firstly thanks for this article, it's been a major help, completely agree that the Microsoft docs are not up to scratch.

One issue I've had is that my aspnet core app would only start up as http:// localhost:5000. on my ubuntu server.

I understand that's because kestrel didn't have access to it's self signed cert like it does when running locally.

I've got around this by setting nginx to direct to http:// localhost:5000 and removing app.UseHttpsRedirection(); in startup.cs. I'm assuming this is fine considering nginx is the reverse proxy.

Your article shows that you are directing nginx to https:// localhost:5001 yet you don't mention this issue? Can you elaborate on this please? Would be super helpful.

 

I had this same issue when revisiting the app I was working on back in July. Now I'm using .NET Core 3.1 instead of 2.2. I ran a command on the Ubuntu server to have dotnet generate a new self-signed cert (I believe it was "dotnet dev-certs https"). This allowed the .NET Core Web API app to run using Https/5001.

I believe you are correct in your thinking with this sort of "jankness" being okay because it's running behind Nginx. When I go to my app in a browser, it is using the LetsEncrypt certificate, so the self-signed cert just seems to be there to check a box that dotnet goes through when starting the app.

Friendly note on the LetsEncrypt... the .NET app cannot be running when you run the certbot command to refresh the cert, else you get an error about not being able to bind to port 80 (has nothing to do with you using 443 only, it's just that it tries 80 before 443 so we see that 80 error first). At first I thought the opposite, that an app needed to be running on 80/443 for the Letsencrypt people to see it's a valid website.

For forcing https/5001 only in the .NET Core Web API app, I added "app.UseHttpsRedirection();" to Startup.cs and "webBuilder.UseUrls("localhost:5001");" to Program.cs. It's okay to "disable" http/80 within the .NET Core Web API app as Nginx redirects 80 to 443 and then sends it to the .NET Core app. I know you knew that, just being detailed for others who may happen by ;)

 

You could use crontab with @reboot instead of creating a service to start the app automatically.

code of conduct - report abuse