search

BorisWilhelms / create-dotnet-devcert

A simple script that creates and trusts a self-signed development certificate for dotnet on Linux distributions.
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
MIT License
322 stars 71 forks source link

Cert not trusted, SSL Handshake Failing #12

Open athoma13 opened 1 year ago

athoma13 commented 1 year ago

Thank you for providing a solution to this very annoying problem of setting up local dev certs - Microsoft has really dropped the ball by not considering linux in their dev-certs cli. Microsoft support referred me to your script in-fact...

I am trying to run this on Ubuntu 22.04 and .NET 7 SDK. The script executes fine and installs the certificate.

However, if I open a .net hosted site, I get a untrusted certificate warning in Chromium (snap) and Brave (also snap). I know it is the localhost cert is being used because of the dates.

Also, service-to-service SSL Handshake also fails with the following error...

[13:33:45 DBG] Failed to authenticate HTTPS connection.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0A000416:SSL routines::sslv3 alert certificate unknown
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan``1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan``1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions, SelectClientCertificate clientCertificateSelectionCallback)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)

I think it is because when I try to verify the certificate using OpenSSL, I get an error:

openssl verify /etc/ssl/certs/dotnet-devcert.pem

CN = localhost
error 18 at 0 depth lookup: self-signed certificate
error /etc/ssl/certs/dotnet-devcert.pem: verification failed

Any ideas or advice?

BorisWilhelms commented 1 year ago

Thank you for your message.

Microsoft support referred me to your script in-fact... Hahaha, I don't if I like this or not...

Overall, I am currently not running Ubuntu, but Arch Linux. So I need to setup a VM to test this. I currently have limited time to spend, but will see if I can do something the next days.

Regarding Chromium and Brave, please check the paths in common.sh if they match your system.

BorisWilhelms commented 1 year ago

I actually tested it right now, and I am not able to reproduce this issue.

Could you please try the script from the branch 12-cert-not-trusted.

If the issue still persists, please paste the OpenSSL Version (openssl version) and the output of the script.

athoma13 commented 1 year ago

Hi Boris,

Thank you for your time.... Tried and getting same behaviour.... Am I right to assume that after running your script that running an openssl verify on the cert (as above) should work?

Anyhow, here's the output of openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
BorisWilhelms commented 1 year ago

Yes, openssl verify should work, and it does that for me in my Ubuntu VM. Your openssl version also matches mine, so I am not sure what the issue is.

Please pull the latest version of the script in this branch, run with -d arguments (e.g. ./ubuntu-create-dotnet-devcert.sh -d) and copy & paste the output here.

amthejohnson commented 10 months ago

I am having the same problem as @athoma13 when I run openssl verify. Below is the result when I run the script with -d:

+ DEPENDENCIES=dotnet certutil openssl
+ check_command dotnet
+ echo Checking if dotnet exists
Checking if dotnet exists
+ command -v dotnet
+ check_command certutil
+ echo Checking if certutil exists
Checking if certutil exists
+ command -v certutil
+ check_command openssl
+ echo Checking if openssl exists
Checking if openssl exists
+ command -v openssl
+ TMP_PATH=/var/tmp/localhost-dev-cert
+ [ ! -d /var/tmp/localhost-dev-cert ]
+ mkdir /var/tmp/localhost-dev-cert
+ KEYFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.key
+ CRTFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.crt
+ PFXFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.pfx
+ NSSDB_PATHS=/home/tester/.pki/nssdb     /home/tester/snap/chromium/current/.pki/nssdb     /home/tester/snap/postman/current/.pki/nssdb     /home/tester/snap/brave/current/.pki/nssdb
+ CONF_PATH=/var/tmp/localhost-dev-cert/localhost.conf
+ cat
+ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/tmp/localhost-dev-cert/dotnet-devcert.key -out /var/tmp/localhost-dev-cert/dotnet-devcert.crt -config /var/tmp/localhost-dev-cert/localhost.conf --passout pass:
.........+......+.......+++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++*............+...........+.........+......+.+...+......+...........+....+..+....+........+...+...+.+...+...........+......+.+...+..+....+.....+..............................++++++
....+......+......+.....+.+..+......+++++++++++++++++++++++++++++++++++++++*.+.........+..........+......+......+..+.+.....+++++++++++++++++++++++++++++++++++++++*...........+...+..+..........+.....+.+..+.......+.....+.......+.....+.+..................+..+...+.+......+.........+.........+..+...+......+.+..+.+....................+.+......+..................+......+.....+...+...+...+....+........+..........+.....+...................+.........+.....+....+...+.........+......+.........+....................+...+.............+..................+..+............+.+.........+......+......+...+..+....+...........+...+......+.......+..+..........+..+....+............+...+..............+...+............+......+....+......+.....+.........+.+.........+...+............+..+.........+....+......+.........+........+....+...+...........+.+...+...+.........+......+...+..+.......+...+..+.....................+....+...+.....+.........+...+.............+...+.....+.........+.+.....+.......+...+......+......+.....+...+.+.........+.....+......+....+..+....+...+......+.....+.+...+...+.....+...+.........+......+.........+...+......................+..+......+...............+....+...+......+......+......+.....+.......+...+..............+..........+...+..+.+.....+.......+..+..................+..........+..+...+......+.+......+..+.+.........++++++
-----
+ openssl pkcs12 -export -out /var/tmp/localhost-dev-cert/dotnet-devcert.pfx -inkey /var/tmp/localhost-dev-cert/dotnet-devcert.key -in /var/tmp/localhost-dev-cert/dotnet-devcert.crt --passout pass:
+ [ -d /home/tester/.pki/nssdb ]
+ configure_nssdb /home/tester/.pki/nssdb
+ echo Configuring nssdb for /home/tester/.pki/nssdb
Configuring nssdb for /home/tester/.pki/nssdb
+ certutil -d sql:/home/tester/.pki/nssdb -D -n dotnet-devcert
+ certutil -d sql:/home/tester/.pki/nssdb -A -t CP,, -n dotnet-devcert -i /var/tmp/localhost-dev-cert/dotnet-devcert.crt
+ [ -d /home/tester/snap/chromium/current/.pki/nssdb ]
+ [ -d /home/tester/snap/postman/current/.pki/nssdb ]
+ [ -d /home/tester/snap/brave/current/.pki/nssdb ]
+ id -u
+ [ 1000 -ne 0 ]
+ SUDO=sudo
+ dotnet dev-certs https --clean --import /var/tmp/localhost-dev-cert/dotnet-devcert.pfx -p 
HTTPS development certificates successfully removed from the machine.
The certificate was successfully imported.
+ [ 0 = 1 ]
+ sudo rm /etc/ssl/certs/dotnet-devcert.pem
+ sudo cp /var/tmp/localhost-dev-cert/dotnet-devcert.crt /usr/local/share/ca-certificates
+ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
+ cleanup
+ rm -R /var/tmp/localhost-dev-cert