Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to run 'dotnet dev-certs https --trust'?

I'm new in ASP.NET.

Environment:

  • Ubuntu 18.04

  • Visual Studio Code

  • .NET SDK 2.2.105

I'm in trouble with some command running.

I was reading tutorial at

https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code

and ran this command:

dotnet dev-certs https --trust 

I expect https://localhost should be trusted. but I found the error message;

$ Specify --help for a list of available options and commands. 

It seems that the command "dotnet dev-certs https" has no --trust options. How to resolve this problem?

like image 321
Kob4 Avatar asked Apr 03 '19 00:04

Kob4


People also ask

What does dotnet dev certs do?

The dotnet dev-certs command manages a self-signed certificate to enable HTTPS use in local web app development. Its main functions are: Generating a certificate for use with HTTPS endpoints during development. Trusting the generated certificate on the local machine.

How do I enable HTTPS in Visual Studio?

Copy that URL and go to the project properties window. Locate the Web tab and override the Project URL property with the https address: After that, you need to setup a trusted certificate for Visual Studio.

What is SSL self-signed certificate?

A self-signed certificate is a digital certificate not signed by any publicly trusted Certificate Authority (CA). Self-signed certificates include SSL/TLS certificates, code signing certificates, and S/MIME certificates.


2 Answers

On Ubuntu the standard mechanism would be:

  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it's trusted using openssl verify localhost.crt

Unfortunately this does not work:

  • dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt CN = localhost error 20 at 0 depth lookup: unable to get local issuer certificate error localhost.crt: verification failed 
  • due to that it's impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

  1. manually generate self-signed cert
  2. trust this cert
  3. force your application to use this cert

In detail:

  1. manually generate self-signed cert:

    • create localhost.conf file with the following content:
[req] default_bits       = 2048 default_keyfile    = localhost.key distinguished_name = req_distinguished_name req_extensions     = req_ext x509_extensions    = v3_ca  [req_distinguished_name] commonName                  = Common Name (e.g. server FQDN or YOUR name) commonName_default          = localhost commonName_max              = 64  [req_ext] subjectAltName = @alt_names  [v3_ca] subjectAltName = @alt_names basicConstraints = critical, CA:false keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment  [alt_names] DNS.1   = localhost DNS.2   = 127.0.0.1 
  • generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
  • convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
  • (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
  • as it's not trusted yet using openssl verify localhost.crt should fail with
CN = localhost error 18 at 0 depth lookup: self signed certificate error localhost.crt: verification failed 
  1. trust this cert:

    • copy localhost.crt to /usr/local/share/ca-certificates
    • trust the certificate using sudo update-ca-certificates
    • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
    • verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt  localhost.crt: OK 
  1. force your application to use this cert

    • update your appsettings.json with the following settings:
"Kestrel": {   "Certificates": {     "Default": {       "Path": "localhost.pfx",       "Password": ""     }   } } 
like image 102
chrisvdb Avatar answered Sep 23 '22 02:09

chrisvdb


While the answer provided by @chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1 extension in the certificate.

After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.

Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu

like image 34
Boris Wilhelms Avatar answered Sep 21 '22 02:09

Boris Wilhelms