Certificate Error behind Reverse Proxy

PowerShell Universal
1 
Product: PowerShell Universal
Version: 2.9.0

New to setting this all up. Running in to persistent HTTP 500 ‘Internal Server Error’ issues when trying to access the application from behind Traefik. Traefik appears to be forwarding the traffic properly to port 5002. Universal Powershell logs indicate an issue with the certificate:

2022-03-01 15:36:25.884 +10:30 [DBG] Connection id “0HMFR84UAJ29Q” accepted.
2022-03-01 15:36:25.885 +10:30 [DBG] Connection id “0HMFR84UAJ29Q” started.
2022-03-01 15:36:25.927 +10:30 [DBG] Connection id “0HMFR84UAJ29Q” received FIN.
2022-03-01 15:36:25.933 +10:30 [DBG] Failed to authenticate HTTPS connection.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
—> System.ComponentModel.Win32Exception (0x80090327): An unknown error occurred while processing the certificate.
— End of inner exception stack trace —
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
2022-03-01 15:36:25.940 +10:30 [DBG] Connection id “0HMFR84UAJ29Q” stopped.
2022-03-01 15:36:25.941 +10:30 [DBG] Connection id “0HMFR84UAJ29Q” sending FIN because: “The Socket transport’s send loop completed gracefully.”

I have a Let’sEncrypt issued certificate, which is being dumped to a .pem and .key file. My appsettings.json Kestrel is looking like this:
“Kestrel”: {
“Endpoints”: {
“HTTP”: {
“Url”: “http://:5001"
},
“HttpsFromPem”: {
“Url”: "https://:5002”,
“Certificate”: {
“Path”: “C:\Users\USERNAME\Documents\certs\certs\DOMAINNAME.pem”,
“KeyPath”: “C:\Users\USERNAME\Documents\certs\private\DOMAINNAME.key”
}
}
},
“RedirectToHttps”: “true”
}

If I instead use a self-signed certificate, I can get HTTPS working when the request originates from within my network (no certificate exceptions are observed in the logs) - but really would like to get this working with Traefik.

Any ideas would be extreeeeemely appreciated before I run out of hair :slight_smile:

Cheers

2

OK for what it’s worth - this did end up being a reverse proxy/Traefik issue.

For anyone else who ends up hitting the same problem - I think (?) the mismatch between the Let’sEncrypt certificate pulled by Traefik, and the self-issued certificate being used by PuwerShell Universal, threw everything for a loop.

To fix - I defined a new ‘serverTransport’ (Traefik 2.4+), with just one option - since my PU host is not my docker host, I defined it in my ‘rules.toml’:

[http]
  [http.serversTransports.psTransport]
    insecureSkipVerify = true

Then in my service declaration:

    [http.services.ps-svc.loadBalancer]
	  serversTransport = "psTransport"
      [[http.services.ps-svc.loadBalancer.servers]]
        url = "https://192.168.x.x:5002"

Hey presto, all is well. Everything is playing nicely with AzureAD auth :slight_smile: