问题陈述

Kestrel 应该听

http://localhost:50008

和

https://localhost:50009

。证书应在启动时从外部源加载（在本例中，它只是从文件加载）。不幸的是，它仅在从

appsettings.json

加载时才有效（如在 kestrel 服务器中使用证书配置 HTTPS 的方式构建），而不是在代码中配置（如ASP.NET Core 应用程序设置生产 SSL 证书中所述）。 ).

实验

设置

该证书由 Letscrypt（生产，而非暂存）为

*.mydomain.xyz

 颁发。 

www.mydomain.xyz

 的 A 记录指向 

127.0.0.1

。

实验1：在appsettings.json中配置Kestrel

Program.cs

var builder = WebApplication.CreateBuilder(args); var app = builder.Build(); app.MapGet("/", () => Results.Ok("hello")); app.Run();

appsettings.json

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Debug" } }, "AllowedHosts": "*", "Kestrel": { "Endpoints": { "Https": { "Url": "https://*:50009", "Certificate": { "Path": "C:\\Users\\myusername\\certs\\acme_certificate_pem.crt", "KeyPath": "C:\\Users\\myusername\\certs\\acme_certificate_private_key_pem.key" } }, "Http": { "Url": "http://*:50008" } } } }

debug output

info: Microsoft.Hosting.Lifetime[14] Now listening on: http://[::]:50008 info: Microsoft.Hosting.Lifetime[14] Now listening on: https://[::]:50009

curl

（浏览器还显示 *.mydomain.xyz 的正确证书）

$ curl http://www.mydomain.xyz:50008 "hello" $ curl https://www.mydomain.xyz:50009 "hello"

实验2：在Program.cs中配置Kestrel

Program.cs

var builder = WebApplication.CreateBuilder(args); var certPath = "C:\\Users\\myusername\\certs\\acme_certificate_pem.crt"; var keyPath = "C:\\Users\\myusername\\certs\\acme_certificate_private_key_pem.key"; var certificate = X509Certificate2.CreateFromPemFile(certPath, keyPath); builder.WebHost.ConfigureKestrel((context, serverOptions) => { serverOptions.Listen(IPAddress.Any, 50008); serverOptions.Listen(IPAddress.Any, 50009, listenOptions => { listenOptions.UseHttps(certificate); }); }); var app = builder.Build(); app.MapGet("/", () => Results.Ok("hello")); app.Run();

appsettings.json

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Debug" } } }

debug output

info: Microsoft.Hosting.Lifetime[14] Now listening on: http://0.0.0.0:50008 info: Microsoft.Hosting.Lifetime[14] Now listening on: https://0.0.0.0:50009

curl

$ curl http://www.mydomain.xyz:50008 "hello" $ curl https://www.mydomain.xyz:50009 curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

实验3：在没有Cert的情况下在Program.cs中配置Kestrel

Program.cs

var builder = WebApplication.CreateBuilder(args); builder.WebHost.ConfigureKestrel((context, serverOptions) => { serverOptions.Listen(IPAddress.Any, 50008); serverOptions.Listen(IPAddress.Any, 50009, listenOptions => { listenOptions.UseHttps(); }); }); var app = builder.Build(); app.MapGet("/", () => Results.Ok("hello")); app.Run();

appsettings.json

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Debug" } } }

debug output

info: Microsoft.Hosting.Lifetime[14] Now listening on: http://0.0.0.0:50008 info: Microsoft.Hosting.Lifetime[14] Now listening on: https://0.0.0.0:50009

curl

（使用开发证书，颁发给本地主机）

$ curl http://www.mydomain.xyz:50008 "hello" $ curl https://www.mydomain.xyz::50009 -k "hello" $ curl https://www.mydomain.xyz::50009 curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - Der Zielprinzipalname ist falsch. More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

 就可以了。原因是 Windows 的技术限制。