Custom SSL with AppSelfHostBase

I know this is an old subject, I have read every post I can find on the subject, but still I cannot get this to work.

My SS Service runs inside a Windows Service using AppSelfHostBase. The actual API works great. However, it only seems to work with localhost.

I have an SSL certificate with the name rmserver.local, although self-generated, the CA is registered on the server and clients as a Trusted Root.

I use the code _appHost = new AppHost() .Init() .Start(listeningOn)

to start the SS API. For the listening on, I have used https://+:86/api/, https://*:86/api/, and https://rmserver.local:86/api/. There is an active DNS record that points rmserver.local to the correct IP address.

I have mapped the port 0.0.0.0:86 with the correct application Guid and Certificate hash.

When I open the browser with https://localhost:86/api/ I see the metadata page. However, when I use https://rmserver.local:86/api/ I get a certificate name error. If I look at the certificate in the browser, it is using a localhost certificate, not the rmserver.local one.

Can someone please tell me what step I have missed? I thought I had done everything required, but always the same results.

I am grateful for any and all advise.

SSL Cert configuration is an external configuration concern, i.e. it’s the same for all HttpListener hosts.

I’ve this previously on answered this with links to 2 resources I’ve followed to create and register a custom SSL Cert for a HttpListener host listening on https://*:8443/:

To generate a SSL Cert for a custom localhost domain name I’ve had to specify it in a few places, e.g:

openssl req -x509 -out dev.crt -keyout dev.key -days 825 \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=*.local' -extensions EXT -config <( \
   printf "[dn]\nCN=*.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:*.local\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

If it helps, I’ve documented how to create an SSL Cert for custom local domain name for ASP.NET Core Hosts:

Generating self-signed SSL Certificates for Custom Domains

Many thanks for your reply. The issue I have is not related to generating a certificate. I already have a valid certificate, tested on a simple website.

With regard to the link of the instructions, this is one of the items I had read previously, and have followed every step, and if I use https://localhost:86/api/ it works fine. However, when I use any domain name other than localhost, it fails. The certificate being used by SS seems to be limited to localhost, and not a certificate of a different host.

The ASP.Net core link does not help, as our app is not a .net core. It is a .Net 4.8 Windows Service, and again, the issue is not in the certificate generation, I have a valid, trusted, certificate installed in the servers certificate store.

My issue is, the page being presented by SS only seems to want to use the localhost domain, and not another domain name.

Generating a Cert isn’t sufficient, it has to be properly created for the domain you want it for, e.g. for our custom localhost domains we had to specify the domain wildcard in 3 different sections. Given it works for localhost but not your custom localhost domain I’d regenerate it so all 3 sections are properly populated.

ServiceStack doesn’t interfere with the URL, it registers exactly the URL with its internal .NET HttpListener Prefixes. SSL is handled by HttpListener’s HTTP.sys before the request reaches ServiceStack.

I understand about certificate generation. It has the correct host names in it, also the correct properties for server usage.

I created an API using just .Net and reused that certificate, and all worked exactly as expected. So, I do not think the issue is the certificate.

The issue is that when I open the SS API in the browser to see the metadata, it is using the localhost certificate instead of our custom certificate.

I have mapped the certificate to a port and app id as detailed in the link your provided, but still SS is using the local host certificate.

Maybe this is the reason I cannot find a working example of anyone using a custom SSL certificate that is not using localhost on a self-hosted implementation.

If it’s returning the wrong certificate, it may have the wrong SSL certificate assigned to that port, you can view existing sslcert registrations with:

$ netsh http show sslcert

Or a show a specific cert with:

$ netsh http show sslcert 0.0.0.0:5001

Just want to make it clear ServiceStack has no control over SSL Certificates used for HttpListener Hosts, it only registers your URL with its internal HttpListener Prefixes which instructs HTTP.sys to invoke the registered handler for HTTP Requests matching that Prefix. HTTP.sys handles the SSL connection.

Many thanks for the prompt reply. I have checked several times, and the port being used is registered to one, and only one, certificate, and the thumbprint of that registration matches the thumbprint of the certificate in the store.

I have spent literally hours searching the web, and I cannot find a single person who shows a clear way of doing this using a certificate other than local host. In fact, several developers have stated they hit the same roadblock and had to recode their API’s to not use the HttpListener.

So, it looks like I will be in the same boat, with no workable solution found here, I will look for other ways to make the API. But really not happy, as this will be a huge undertaking.

Porting to ASP .NET Core might be the way forward as it lets you specify the certificate to use in configuration.