search

BorisWilhelms / create-dotnet-devcert

A simple script that creates and trusts a self-signed development certificate for dotnet on Linux distributions.
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
MIT License
335 stars 74 forks source link

IdentityServer4 service-to-service communication Error UntrustedRoot #4

Closed GOVINDBHAVAN closed 3 years ago

GOVINDBHAVAN commented 3 years ago

The script working fine in Chrome but when communicating service to service (calling an Identity service). Getting this error please suggest, I am using the script provided repository as self-signed certificates.

My system Ubuntu 20, ASPNET Core 5 and IdentityServcer4

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

HEADERS

Connection: keep-alive Accept: / Accept-Encoding: gzip, deflate, br Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ4ODA4MUYxQ0IzMDE5OTgzQUI1MUI2RTgzRTg2Qjc4IiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MjQ3NzQzMzQsImV4cCI6MTYyNDc3NzkzNCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImNsaWVudF9pZCI6InBvc3RtYW4iLCJzdWIiOiIwODQwNTJlNS0xMTE0LTQ1MDQtYTA3Ny1lNzBlOTM3ZDAyZDQiLCJhdXRoX3RpbWUiOjE2MjQ3NzQzMzIsImlkcCI6ImxvY2FsIiwianRpIjoiNUVGMjNGQzI1MzVEQzJDRDNGRkQwQkQ3NTBFMkQ3QjkiLCJzaWQiOiI1MjREQzk2MTA0M0VCM0JGMTg0QUE5NjI0RTc5NEMzRCIsImlhdCI6MTYyNDc3NDMzNCwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSJdLCJhbXIiOlsicHdkIl19.sT2dCuwzBrs2B42-WGeiF56e24HWtHe6OHsd9xvAJSZvL3MB06dqW-32R_HQmhOYLQOBv6XRuJbPYT7mxtr1OdsG8PSCygrwi-ZAtEHBX9AjBju6QpJXieHWaXaLKqJzfKFC8llxmlvIFu0vsw-bl7QL09GrssP5OWLHSd6GX-hS8CrOzCt1JJ9rmCS_52rs2E8sN6cQ69y-sGBPjBEs6GySQJ1FJCBRcyjHM1X4-mcH5vbpr2F7rFc2Jv9qNtdmHKEeqhy4jzSaJKi-CpizoLzM4pLoL-UonLJGghDlBuu_1lkPobxROHMs2yWMVngXmqLww-QjycePJgrBHP7C1w Host: localhost:5001 User-Agent: PostmanRuntime/7.28.0 Postman-Token: 2be93479-50ab-4f5e-8e9b-1e6445ee96bf

BorisWilhelms commented 3 years ago

I cannot reproduce this issue. Anyone else does have this issue?

sarvasana commented 3 years ago

I think you have to configure ID4 to accept self signed certs.

GOVINDBHAVAN commented 3 years ago

I think you have to configure ID4 to accept self signed certs.

If we can use self-signed certs in IdentityServer4, then I'll check and update here. I thought ID4 doesn't support self-signed certificate. Thanks for the reply.

sarvasana commented 3 years ago

Apologies, it is dotnet core you need to instruct to accept self-signed certificates for authentication.

See: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-5.0#configure-certificate-validation

And: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.certificate.certificateauthenticationoptions.allowedcertificatetypes?view=aspnetcore-5.0

And: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.certificate.certificatetypes?view=aspnetcore-5.0

BorisWilhelms commented 3 years ago

Well with .NET 5 and my script you should not need to configure "accept self-signed-certificates". At least not when everything runs in localhost/the same machine.

sarvasana commented 3 years ago

Oh, okay. Why is that not needed? The script does generate a certificate not signed by a trusted authority, no?

BorisWilhelms commented 3 years ago

The script will create a self signed certificate and then trust this certificate in various places (e.g. browser and "system" store) in Linux. it should therefore work with service to service communication as long as everything runs on localhost.

BorisWilhelms commented 3 years ago

I will close this issue, since I can not reproduce this with the script.

GOVINDBHAVAN commented 3 years ago

Thanks for the reply, there was certificates issue in my system. I have deleted all existing development certificates and executed the script provided and now it is working fine.

sudo rm -rf /etc/ssl/certs/ht sudo rm -rf /usr/lib/ssl/certs/ht sudo rm -rf /usr/local/share/ca-certificates/aspnet/ht sudo apt-get install --reinstall ca-certificates sudo update-ca-certificates