TechWatching
diff --git a/‎content/1.posts/73.aspire-devcert.md
Lines changed: 273 additions & 0 deletions b/‎content/1.posts/73.aspire-devcert.md
Lines changed: 273 additions & 0 deletions
diff --git a/‎public/images/aspire-devcert.png
518 KB b/‎public/images/aspire-devcert.png
518 KB
@@ -0,0 +1,273 @@
+---
+title: ".NET Aspirations - Use ASP.NET Core HTTPS Development Certificate"
+lead: "Simplify HTTP set up in your local development environment"
+date: 2025-03-13
+image:
+  src: /images/aspire-devcert.png
+badge:
+  label: Development
+tags:
+  - .NET Aspire
+  - HTTP
+  - Nuxt
+  - .NET
+  - Security
+---
+
+It's a good practice to use HTTPS in your local development environment to closely match the production environment and prevent future HTTPS issues.
+
+In a previous [article](https://techwatching.dev/posts/aspnetcore-with-nuxt-https), I discussed how to set up HTTPS on a web application with an ASP.NET Core API and a Nuxt.js front end. This was done using the ASP.NET Core HTTPS Development certificate. However, for the front end, it required using the `dev-certs` [**built-in command of the .NET CLI**](https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-9.0&tabs=visual-studio%2Clinux-sles&wt.mc_id=MVP_430820#trust-the-aspnet-core-https-development-certificate) **to export the certificate files (key file and** `pem` file). That's fine, but it would be better if this step could be automated when using .NET Aspire. Let's explore that.
+
+As usual, we will use our [`AspnetWithNuxt` sample](https://github.com/TechWatching/AspnetWithNuxt). In our `WebApp`, we currently assume that the certificate files are already generated and available in our folder, so the paths to these files are hard-coded in the Nuxt configuration:
+
+```typescript {8-11} [nuxt.config.ts]
+  $development: {
+    routeRules: {
+      '/api/**': {
+        proxy: 'https://localhost:7238/**',
+      }
+    },
+    devServer: {
+      https: {
+        key: 'dev-cert.key',
+        cert: 'dev-cert.pem'
+      }
+    }
+  },
+```
+
+What we would need instead is to use environment variables that contain these paths and default to the hard-coded values otherwhise:
+
+```typescript {8-11} [nuxt.config.ts]
+  $development: {
+    routeRules: {
+      '/api/**': {
+        proxy: `${import.meta.env.ApiUrl}/**`,
+      }
+    },
+    devServer: {
+      https: {
+        key: import.meta.env.CERT_KEY_PATH ?? 'dev-cert.key',
+        cert: import.meta.env.CERT_PATH ?? 'dev-cert.pem'
+      }
+    }
+  },
+```
+
+That seems better. But now we need a way to ensure the certificate files exist, generate them if they don’t, and automatically inject these environment variables. Ideally, this would be configured in the `AppHost` by calling a specific method when defining the `WebApp` resource.
+
+And guess what, there is an [issue](https://github.com/dotnet/aspire/issues/6890) on the .NET Aspire GitHub repository discussing exactly such a method. Unfortunately, at the time of writing this method is not built-in but can be found in the [`aspire-samples` repository](https://github.com/dotnet/aspire-samples/blob/0c27e4e3bac5f102db1002fd2e0e1ba894e1009a/samples/Shared/DevCertHostingExtensions.cs). We just need to copy it and place it in our `AppHost` project
+
+::collapsible{openText="Show the code of the" closeText="Hide the code of the" name="DevCertHostingExtensions.cs file"}
+
+```csharp [AppHost/DevCertHostingExtensions.cs]
+using System.Diagnostics;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace Aspire.Hosting;
+
+public static class DevCertHostingExtensions
+{
+    /// <summary>
+    /// Injects the ASP.NET Core HTTPS developer certificate into the resource via the specified environment variables when
+    /// <paramref name="builder"/>.<see cref="IResourceBuilder{T}.ApplicationBuilder">ApplicationBuilder</see>.<see cref="IDistributedApplicationBuilder.ExecutionContext">ExecutionContext</see>.<see cref="DistributedApplicationExecutionContext.IsRunMode">IsRunMode</see><c> == true</c>.<br/>
+    /// If the resource is a <see cref="ContainerResource"/>, the certificate files will be bind mounted into the container.
+    /// </summary>
+    /// <remarks>
+    /// This method <strong>does not</strong> configure an HTTPS endpoint on the resource.
+    /// Use <see cref="ResourceBuilderExtensions.WithHttpsEndpoint{TResource}"/> to configure an HTTPS endpoint.
+    /// </remarks>
+    public static IResourceBuilder<TResource> RunWithHttpsDevCertificate<TResource>(
+        this IResourceBuilder<TResource> builder, string certFileEnv, string certKeyFileEnv, Action<string, string>? onSuccessfulExport = null)
+        where TResource : IResourceWithEnvironment
+    {
+        if (builder.ApplicationBuilder.ExecutionContext.IsRunMode && builder.ApplicationBuilder.Environment.IsDevelopment())
+        {
+            builder.ApplicationBuilder.Eventing.Subscribe<BeforeStartEvent>(async (e, ct) =>
+            {
+                var logger = e.Services.GetRequiredService<ResourceLoggerService>().GetLogger(builder.Resource);
+
+                // Export the ASP.NET Core HTTPS development certificate & private key to files and configure the resource to use them via
+                // the specified environment variables.
+                var (exported, certPath, certKeyPath) = await TryExportDevCertificateAsync(builder.ApplicationBuilder, logger);
+
+                if (!exported)
+                {
+                    // The export failed for some reason, don't configure the resource to use the certificate.
+                    return;
+                }
+
+                if (builder.Resource is ContainerResource containerResource)
+                {
+                    // Bind-mount the certificate files into the container.
+                    const string DEV_CERT_BIND_MOUNT_DEST_DIR = "/dev-certs";
+
+                    var certFileName = Path.GetFileName(certPath);
+                    var certKeyFileName = Path.GetFileName(certKeyPath);
+
+                    var bindSource = Path.GetDirectoryName(certPath) ?? throw new UnreachableException();
+
+                    var certFileDest = $"{DEV_CERT_BIND_MOUNT_DEST_DIR}/{certFileName}";
+                    var certKeyFileDest = $"{DEV_CERT_BIND_MOUNT_DEST_DIR}/{certKeyFileName}";
+
+                    builder.ApplicationBuilder.CreateResourceBuilder(containerResource)
+                        .WithBindMount(bindSource, DEV_CERT_BIND_MOUNT_DEST_DIR, isReadOnly: true)
+                        .WithEnvironment(certFileEnv, certFileDest)
+                        .WithEnvironment(certKeyFileEnv, certKeyFileDest);
+                }
+                else
+                {
+                    builder
+                        .WithEnvironment(certFileEnv, certPath)
+                        .WithEnvironment(certKeyFileEnv, certKeyPath);
+                }
+
+                if (onSuccessfulExport is not null)
+                {
+                    onSuccessfulExport(certPath, certKeyPath);
+                }
+            });
+        }
+
+        return builder;
+    }
+
+    private static async Task<(bool, string CertFilePath, string CertKeyFilPath)> TryExportDevCertificateAsync(IDistributedApplicationBuilder builder, ILogger logger)
+    {
+        // Exports the ASP.NET Core HTTPS development certificate & private key to PEM files using 'dotnet dev-certs https' to a temporary
+        // directory and returns the path.
+        // TODO: Check if we're running on a platform that already has the cert and key exported to a file (e.g. macOS) and just use those instead.
+        var appNameHash = builder.Configuration["AppHost:Sha256"]![..10];
+        var tempDir = Path.Combine(Path.GetTempPath(), $"aspire.{appNameHash}");
+        var certExportPath = Path.Combine(tempDir, "dev-cert.pem");
+        var certKeyExportPath = Path.Combine(tempDir, "dev-cert.key");
+
+        if (File.Exists(certExportPath) && File.Exists(certKeyExportPath))
+        {
+            // Certificate already exported, return the path.
+            logger.LogDebug("Using previously exported dev cert files '{CertPath}' and '{CertKeyPath}'", certExportPath, certKeyExportPath);
+            return (true, certExportPath, certKeyExportPath);
+        }
+
+        if (File.Exists(certExportPath))
+        {
+            logger.LogTrace("Deleting previously exported dev cert file '{CertPath}'", certExportPath);
+            File.Delete(certExportPath);
+        }
+
+        if (File.Exists(certKeyExportPath))
+        {
+            logger.LogTrace("Deleting previously exported dev cert key file '{CertKeyPath}'", certKeyExportPath);
+            File.Delete(certKeyExportPath);
+        }
+
+        if (!Directory.Exists(tempDir))
+        {
+            logger.LogTrace("Creating directory to export dev cert to '{ExportDir}'", tempDir);
+            Directory.CreateDirectory(tempDir);
+        }
+
+        string[] args = ["dev-certs", "https", "--export-path", $"\"{certExportPath}\"", "--format", "Pem", "--no-password"];
+        var argsString = string.Join(' ', args);
+
+        logger.LogTrace("Running command to export dev cert: {ExportCmd}", $"dotnet {argsString}");
+        var exportStartInfo = new ProcessStartInfo
+        {
+            FileName = "dotnet",
+            Arguments = argsString,
+            RedirectStandardOutput = true,
+            RedirectStandardError = true,
+            UseShellExecute = false,
+            CreateNoWindow = true,
+            WindowStyle = ProcessWindowStyle.Hidden,
+        };
+
+        var exportProcess = new Process { StartInfo = exportStartInfo };
+
+        Task? stdOutTask = null;
+        Task? stdErrTask = null;
+
+        try
+        {
+            try
+            {
+                if (exportProcess.Start())
+                {
+                    stdOutTask = ConsumeOutput(exportProcess.StandardOutput, msg => logger.LogInformation("> {StandardOutput}", msg));
+                    stdErrTask = ConsumeOutput(exportProcess.StandardError, msg => logger.LogError("! {ErrorOutput}", msg));
+                }
+            }
+            catch (Exception ex)
+            {
+                logger.LogError(ex, "Failed to start HTTPS dev certificate export process");
+                return default;
+            }
+
+            var timeout = TimeSpan.FromSeconds(5);
+            var exited = exportProcess.WaitForExit(timeout);
+
+            if (exited && File.Exists(certExportPath) && File.Exists(certKeyExportPath))
+            {
+                logger.LogDebug("Dev cert exported to '{CertPath}' and '{CertKeyPath}'", certExportPath, certKeyExportPath);
+                return (true, certExportPath, certKeyExportPath);
+            }
+
+            if (exportProcess.HasExited && exportProcess.ExitCode != 0)
+            {
+                logger.LogError("HTTPS dev certificate export failed with exit code {ExitCode}", exportProcess.ExitCode);
+            }
+            else if (!exportProcess.HasExited)
+            {
+                exportProcess.Kill(true);
+                logger.LogError("HTTPS dev certificate export timed out after {TimeoutSeconds} seconds", timeout.TotalSeconds);
+            }
+            else
+            {
+                logger.LogError("HTTPS dev certificate export failed for an unknown reason");
+            }
+            return default;
+        }
+        finally
+        {
+            await Task.WhenAll(stdOutTask ?? Task.CompletedTask, stdErrTask ?? Task.CompletedTask);
+        }
+
+        static async Task ConsumeOutput(TextReader reader, Action<string> callback)
+        {
+            char[] buffer = new char[256];
+            int charsRead;
+
+            while ((charsRead = await reader.ReadAsync(buffer, 0, buffer.Length)) > 0)
+            {
+                callback(new string(buffer, 0, charsRead));
+            }
+        }
+    }
+}
+```
+
+::
+
+::callout{icon="i-heroicons-light-bulb"}
+What’s interesting is that this method will also work with a resource container by mounting the certificate files in the container.
+::
+
+Then we can call this method like this:
+
+```csharp [AppHost/Program.cs] {9}
+var webApp= builder.AddPnpmApp("WebApp", "../WebApp", "dev")
+    .WithHttpsEndpoint(env: "PORT")
+    .WithExternalHttpEndpoints()
+    .WithPnpmPackageInstallation()
+    .WithReference(webApi)
+    .WaitFor(webApi)
+    .WithEnvironment("ApiUrl", webApi.GetEndpoint("https"))
+    .WithEnvironmentPrefix("NUXT_PUBLIC_")
+    .RunWithHttpsDevCertificate("CERT_PATH", "CERT_KEY_PATH");
+```
+
+And that's it. Thanks to .NET Aspire, setting up HTTPS in our application is now easier. And from what I've read about the issues on the repository, it seems there are likely improvements coming to .NET Aspire to make this feature built-in and even better. Anyway, this is a great example of how we can easily customize .NET Aspire to fit our needs and enhance the developer experience.
+
+You can find the complete code [here](https://github.com/TechWatching/AspnetWithNuxt/tree/6e8f2efa7c68d6399f12859230cdd0beaa8d8218). Keep learning.