Net Core 6 Systemd Service how to Use SSL

Question

I have a net core 6 api running on linux as a systemd service

this is the config file

[Unit]
Description=Van Jugando NETCore API

[Service]
WorkingDirectory=/var/www/vanjugando
ExecStart=/usr/bin/dotnet /var/www/vanjugando/VanJugando.dll
Restart=always
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=ASPNETCORE_URLS=http://0.0.0.0:3000
SyslogIdentifier=VanJugando

[Install]
WantedBy=multi-user.target

I also have a web application running on Apache2 in /var/www/html on port :80 this one has SSL woking (generated with certbot SSL), I want to implement SSL for my net core 6 api on port 3000 as well but have no idea how to do this with a systemd service

question is how to configue SSL on my .service file?

Answer 1

All languages has the required tools to load the private and cert files to expose the service through https.

nodejs

var https = require('https');
var options = {
    key: fs.readFileSync('example.key'),
    cert: fs.readFileSync('example.crt')
};
https.createServer(options, my_app).listen(3000);

java (spring boot)

server:
  ssl:
    key-store: classpath:keystore.p12
    key-store-password: password
    key-store-type: pkcs12
    key-alias: springboot
    key-password: password
  port: 8443

c#

Reviewing some posts, c# needs a pfx file. To create it from your cert and private key use this:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

After that, you could set this in your Program.cs to load the pfx file

var httpsConnectionAdapterOptions = new HttpsConnectionAdapterOptions
{
    SslProtocols = System.Security.Authentication.SslProtocols.Tls12,
    ClientCertificateMode = ClientCertificateMode.AllowCertificate,
    ServerCertificate = new X509Certificate2("./certificate.pfx", "password")
 
};
builder.WebHost.ConfigureKestrel(options =>;
    options.ConfigureEndpointDefaults(listenOptions =>;
        listenOptions.UseHttps(httpsConnectionAdapterOptions)));

Advice

As I explained here it is recommendable not handle the https directly at source code app level.

One of the most visible disadvantage is that every developer will need certificates to start the app in his localhost :/

You should handle the https in another layer like, nginx, apache, haproxy, aws loadbalancer, etc. With this your target application will be http but exposed as https

In your case, if you have apache and your app start in the 3000 port, you could add this virtual host in some file like /etc/apache2/sites-available/sample.conf

<VirtualHost *:80>
ServerName www.sample.com

SSLEngine on
SSLCertificateFile /etc/ssl/ssldragon_com.crt
SSLCertificateKeyFile /etc/ssl/ssldragon.key
SSLCertificateChainFile /etc/ssl/ssldragon_com.ca-bundle

ProxyPreserveHost On
ProxyPass / http:// 127.0.0.1:5000/
ProxyPassReverse / http:// 127.0.0.1:5000/
ErrorLog ${APACHE_LOG_DIR}/sample-error.log
</VirtualHost>

Now, enable the new site configuration using the following command:

sudo a2ensite sample.conf

If there is no error, then your site is ready to go with https!

More details here: https://www.syncfusion.com/blogs/post/hosting-multiple-asp-net-core-apps-in-ubuntu-linux-server-using-apache.aspx

References

• Node.js https pem error: error:0906D06C:PEM routines:PEM_read_bio:no start line
• ASP.NET Core application setup production SSL certificate
• https://tutorials.eu/how-to-configure-ssl-in-asp-net/
• https://www.ssldragon.com/how-to/install-ssl-certificate/apache/
• https://geekflare.com/apache-setup-ssl-certificate/
• https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-9963322D-E377-4233-9FFE-ACB9FA690F48.html