ASP.NET Core 2.1 + Kestrel (How to disable HTTPS)

asp.net core 3.0 disable https
asp.net core ssl certificate
failed to determine the https port for redirect
asp.net https
there was an error trusting https developer certificate.
asp net core api disable ssl
failed to locate the development https certificate at null
asp.net core certificate authentication

So it appears with the advent of ASP.NET Core 2.1, Kestrel now automatically creates an HTTPS endpoint along side the HTTP one, and default project templates are setup to redirect from HTTP to HTTPS (which is easy enough to undo).

However my question is... how can I disable HTTPS entirely for my project. I've read through the docs and played with a variety of config settings for HTTPS but nothing I do seems to allow me to turn it off and just run an HTTP project.

Am I crazy or just missing something. I would expect this to be super easy to do.

If you are using Visual Studio 2017, then you can do the following:

  1. Go to your project properties. (Right-click > Properties)
  2. Click on the Debug tab.
  3. Under Web Server Settings, deselect Enable SSL.
  4. Save, build, and try again.

This will update the iisExpress settings in the launchSettings.json file.

Question : Disable HTTPS for development · Issue #1750 · dotnet/core, I set the baseUrl to http://localhost:5000 - NO HTTPS but the request at the browser shows This issue was moved to dotnet/aspnetcore#3293  Configuring HTTPS In ASP.NET Core 2.1. HTTPS can be configured with ASP.net core before the .net core framework 1.1 but it was tricky to configure. It was make easier to configure in 2.0 but this configuration is not by default. In this article, we learn about how to configured HTTPS and how to customize it.

In the Startup.cs, remove the middleware

app.UseHttpsRedirection();

Enforce HTTPS in ASP.NET Core, https://docs.microsoft.com › › .NET › ASP.NET Core › Host and deploy ASP.NET Core 2.1 and later project templates configure apps to run on HTTPS by default and include HTTPS redirection and HSTS support. Call Listen or ListenUnixSocket methods on KestrelServerOptions to configure URL prefixes and ports for Kestrel. UseUrls, the --urls command-line argument,

Turns out the proper way to achieve what I wanted to do, was to specifically configure Kestrel with .UseKestrel() and simply specify a single address, like this:

  WebHost.CreateDefaultBuilder(args)
    .UseKestrel(options => {
      options.Listen(IPAddress.Loopback, 5080); //HTTP port
    })
    .UseStartup<Startup>();

in affect overriding the default setup, and displaying this warning when Kestel starts:

warn: Microsoft.AspNetCore.Server.Kestrel[0]
  Overriding address(es) 'https://localhost:5001, http://localhost:5000'. Binding to endpoints defined in UseKestrel() instead.

if a second address is specified it will assume that address is to be secured with the built-in developer cert, as such:

  WebHost.CreateDefaultBuilder(args)
    .UseKestrel(options => {
      options.Listen(IPAddress.Loopback, 5080); //HTTP port
      options.Listen(IPAddress.Loopback, 5443); //HTTPS port
    })
    .UseStartup<Startup>();

you may of course specifically secure your SSL address as described here:

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1&tabs=aspnetcore2x

which is necessary for production setups.

Kestrel web server implementation in ASP.NET Core, So it appears with the advent of ASP.NET Core 2.1, Kestrel now automatically creates an HTTPS endpoint along side the HTTP one, and default project  Configuring HTTPS in ASP.NET Core 2.1. Finally HTTPS gets into ASP.NET Core. It was there before back in 1.1, but was kinda tricky to configure. It was available in 2.0 bit not configured by default. Now it is part of the default configuration and pretty much visible and present to the developers who will create a new ASP.NET Core 2.1 project.

Configuring HTTPS In ASP.NET Core 2.1, HTTPS can be configured with ASP.net core before the .net core framework 1.1 Using the following command, we can turn off HTTPS. IIS Express or Kestrel, it is listening on two ports, one for HTTP and other for HTTPS. An expert web developer demonstrates how one can use ASP.NET Core 2.1 to configure a secure, i.e. HTTPS, connection for one's .NET-based web application. Configuring HTTPS in ASP.NET Core 2.1

In the Program.cs, Add UseUrls as following:

WebHost.CreateDefaultBuilder(args)
.UseUrls("http://localhost:5000")
.UseStartup<Startup>();

And In The Startup.cs remove/comment the following:

app.UseHttpsRedirection();

Configuring HTTPS in ASP.NET Core 2.1, Finally HTTPS gets into ASP. NET Core 2.1 web application. If not, go to https://dot.net/ to download and install the latest version for your platform. Kestrel is listening on: https://localhost:5001 and http://localhost:5000. Enforcing HTTPS only traffic with ASP.NET Core and Kestrel 07 April 2018 Comments Posted in ASP.NET Core, .NET Core, security, cross-platform. In the early days of ASP.NET Core, Kestrel (the lightweight, open source web server) was fairly basic.

Developing locally with ASP.NET Core under HTTPS, SSL, and Self , It's very easy to accidentally find oneself on http:// when everything in 2018 should be under https://. I'm using ASP.NET Core 2.1 which makes  HTTPS in ASP.NET Core from Scratch March 1, 2017 by Rui Figueiredo 5 Comments Recently, when looking at how to configure authentication using external login providers (e.g. Google, Facebook) with ASP.NET Core I noticed that https is now a requirement for some of them.

Configuring HTTPS in ASP.NET Core 2.1, There are two different URLs where Kestrel is listening: https://localhost:5001 and http://localhost:5000. If you go to the Configure method in the  If you have nginx, IIS, or another reverse proxy sitting in front of your application, configure it to only listen on HTTPS. That way, connections over 80 (HTTP) will be rejected. At the server. If you are serving your application directly from Kestrel (which isn’t currently recommended), configure the server to only listen on 443.

.NET Core 2.1 and Docker, NET Core 2.1 project, let use an API as an example, you'll notice the addition of the following lines in the Startup.cs file This How do you get the container to see the SSL Certificate on your local machine? ASPNETCORE_Kestrel__​Certificates__Default__Path: FROM microsoft/dotnet:2.1-aspnetcore-runtime AS base Require HTTPS. We recommend that production ASP.NET Core web apps use: HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP requests to HTTPS. HSTS Middleware (UseHsts) to send HTTP Strict Transport Security Protocol (HSTS) headers to clients.

Comments
  • After spending 2 hours trying to get this to work on Linux with Firefox this is exactly the question I have come here to ask :)
  • Well you are in luck, as you can see I've answered this already, see the accepted solution a couple posts down: stackoverflow.com/a/51344917/3022291
  • Somehow in my VS2017, the option is not there. So: Project properties => Debug => App URL (remove the s) and set the proper start page => Save (Popup with override the launchSettings appears => Ok and ready to roll (f5)
  • I'm using the .NET Core CLI by itself. There is nothing in my *.csproj or appsettings.json that indicate SSL should be used. According to the latest documentation, ASP.NET will automatically create an SSL endpoint when a local development certificate is present. So I assumed there was a way in code to disable that, but so far I can't find any way.
  • I think this answer would be even better if it didn't have a dependency on visual studio. What happens to the launchSettings.json file?
  • That only prevents the forced HTTP -> HTTPS redirection (allowing you to get to the site unsecured), it does not disable HTTPS. Two ports are still being consumed by Kestrel (normally 5000 for HTTP and 5001 for HTTPS). What I'm looking for is only HTTP, no HTTPS at all.
  • This helped me. I was using an Android emulator, and of course it most likely not accept the self-signed SSL. So, I tried to connect to the HTTP address, but I kept getting "307 Temporary Redirect". After a little bit of researching, I thought it was because the server was redirecting to HTTPS. Removing that line solved it.
  • Even if this doesn't disable HTTPS, this is still very useful information. I too was having the 307 Temporary Redirect problem, and this fixed it.
  • Actually this can be simplified even further by using .UseUrls() and or .UseConfiguration() with a JSON config and the "urls" property specified. Both of which work the same when given only a single address.
  • I was asked to add an example for my above comment, so here it is: hosting.json { "urls": "http://localhost:5080" } program.cs (main) public static void Main(string[] args) { IConfigurationRoot config = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("hosting.json") .AddCommandLine(args) .Build(); CreateWebHostBuilder(args).UseConfiguration(config).Build().Run(); }
  • Is there any way to remove the kestrel ?
  • @sina_Islam "remove Kestrel" makes no sense -- Kestrel is the HTTP server. Without it, you don't have a web app.
  • Please note, that the above answer references a config file for launch profiles that is created by Visual Studio, this file will not be auto-created when using VSCode or via dotnet new. However it does appear to function as stated so long as the file is present, and the appropriate profile is referenced (i.e. dotnet run --launch-profile=ProfileNameHere). Note that the first profile in the config is always used as the default if no profile is specified. This being said, I believe launchSettings.json is not a replacement for appsettings.json as it will not be published.
  • In fact, dotnet new does automatically create a launchSettings.json file in dotnet 2.1. This was not the case in dotnet 2.0. I've just tested this in my Ubuntu box, in which Visual Studio is not installed. So, at least for 2.1 version, launchSettings.json is not a Visual Studio specific file.