fix: workaround bug in Windows SSL stream when generating temporary s…

…elf-signed certs cref dotnet/runtime#23749
natemcmaster · May 31, 2020 · 24a265a · 24a265a
1 parent 239c503
commit 24a265a
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/LettuceEncrypt/Internal/TlsAlpnChallengeResponder.cs b/src/LettuceEncrypt/Internal/TlsAlpnChallengeResponder.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Net.Security;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
@@ -107,6 +108,15 @@ acmeIdentifier extension MUST be critical so that the certificate
             // This cert is ephemeral and does not need to be stored for reuse later
             var cert = csr.CreateSelfSigned(_clock.Now.AddDays(-1), _clock.Now.AddDays(1));
 
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                // SSLStream on Windows throws with ephemeral key sets
+                // workaround from https://github.com/dotnet/runtime/issues/23749#issuecomment-388231655
+                var originalCert = cert;
+                cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12));
+                originalCert.Dispose();
+            }
+
             Interlocked.Increment(ref _openChallenges);
             _certificateSelector.AddChallengeCert(cert);
         }