I'm new in ASP.NET.
Environment:
Ubuntu 18.04
Visual Studio Code
.NET SDK 2.2.105
I'm in trouble with some command running.
I was reading tutorial at
https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code
and ran this command:
dotnet dev-certs https --trust
I expect https://localhost should be trusted. but I found the error message;
$ Specify --help for a list of available options and commands.
It seems that the command "dotnet dev-certs https" has no --trust options. How to resolve this problem?
The dotnet dev-certs command manages a self-signed certificate to enable HTTPS use in local web app development. Its main functions are: Generating a certificate for use with HTTPS endpoints during development. Trusting the generated certificate on the local machine.
Copy that URL and go to the project properties window. Locate the Web tab and override the Project URL property with the https address: After that, you need to setup a trusted certificate for Visual Studio.
A self-signed certificate is a digital certificate not signed by any publicly trusted Certificate Authority (CA). Self-signed certificates include SSL/TLS certificates, code signing certificates, and S/MIME certificates.
On Ubuntu the standard mechanism would be:
dotnet dev-certs https -v
to generate a self-signed certopenssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
localhost.crt
to /usr/local/share/ca-certificates
sudo update-ca-certificates
/etc/ssl/certs/localhost.pem
(extension changes)openssl verify localhost.crt
Unfortunately this does not work:
dotnet dev-certs https
generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:$ openssl verify localhost.crt CN = localhost error 20 at 0 depth lookup: unable to get local issuer certificate error localhost.crt: verification failed
Workaround: (tested on Openssl 1.1.1c)
In detail:
manually generate self-signed cert:
[req] default_bits = 2048 default_keyfile = localhost.key distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_ca [req_distinguished_name] commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = localhost commonName_max = 64 [req_ext] subjectAltName = @alt_names [v3_ca] subjectAltName = @alt_names basicConstraints = critical, CA:false keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment [alt_names] DNS.1 = localhost DNS.2 = 127.0.0.1
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
openssl verify -CAfile localhost.crt localhost.crt
which should yield localhost.crt: OK
openssl verify localhost.crt
should fail withCN = localhost error 18 at 0 depth lookup: self signed certificate error localhost.crt: verification failed
trust this cert:
/usr/local/share/ca-certificates
sudo update-ca-certificates
/etc/ssl/certs/localhost.pem
(extension changes)$ openssl verify localhost.crt localhost.crt: OK
force your application to use this cert
"Kestrel": { "Certificates": { "Default": { "Path": "localhost.pfx", "Password": "" } } }
While the answer provided by @chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1
extension in the certificate.
After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil
as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb
, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.
Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With