search

BorisWilhelms / create-dotnet-devcert

A simple script that creates and trusts a self-signed development certificate for dotnet on Linux distributions.
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
MIT License
329 stars 71 forks source link

Received an unexpected EOF or 0 bytes from the transport stream #5

Closed uheee closed 2 years ago

uheee commented 2 years ago

I use archlinux. After I exec the script, chrome browser can visit my web API currently. But when I wanted to call it in .NET console program:

var httpClient = new HttpClient();
var response = await httpClient.GetAsync("https://localhost:5001/WeatherForecast");

It raised an error:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.IO.IOException:  Received an unexpected EOF or 0 bytes from the transport stream.
   at System.Net.Security.SslStream.<FillHandshakeBufferAsync>g__InternalFillHandshakeBufferAsync|182_0[TIOAdapter](TIOAdapter adap, ValueTask`1 task, Int32 minSize)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at Client.Program.Main(String[] args) in /home/snowind/Tests/OpenIdDemo/Client/Program.cs:line 13

And when I use curl to visit https://localhost:5001/WeatherForecast it returned curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:5001.

How to solve it?

sarvasana commented 2 years ago

EDIT: Been a while since I checked this repo. It turns out it the script is already multi-distro. You might be having a different problem.

Hey,

I am on arch-based distro's and adjusted this script to my needs some time ago. Maybe @BorisWilhelms can use what I past below to end-up with a script that works for both debian and arch based distro's.


TMP_PATH=/var/tmp/localhost-dev-cert

if [ ! -d $TMP_PATH ]; then
    mkdir $TMP_PATH
fi

KEYFILE=$TMP_PATH/dotnet-devcert.key
CRTFILE=$TMP_PATH/dotnet-devcert.crt
PFXFILE=$TMP_PATH/dotnet-devcert.pfx

NSSDB_PATHS=(
    "$HOME/.pki/nssdb"
#    "$HOME/snap/chromium/current/.pki/nssdb"
#    "$HOME/snap/postman/current/.pki/nssdb"
)

CONF_PATH=$TMP_PATH/localhost.conf

cat >> $CONF_PATH <<EOF
[req]
prompt                  = no
default_bits            = 2048
distinguished_name      = subject
req_extensions          = req_ext
x509_extensions         = x509_ext

[ subject ]
commonName              = localhost

[req_ext]
basicConstraints        = critical, CA:true
subjectAltName          = @alt_names

[x509_ext]
basicConstraints        = critical, CA:true
keyUsage                = critical, keyCertSign, cRLSign, digitalSignature,keyEncipherment
extendedKeyUsage        = critical, serverAuth
subjectAltName          = critical, @alt_names
1.3.6.1.4.1.311.84.1.1  = ASN1:UTF8String:ASP.NET Core HTTPS development certificate # Needed to get it imported by dotnet dev-certs

[alt_names]
DNS.1                   = localhost
EOF

function configure_nssdb() {
    echo "Configuring nssdb for $1"
    certutil -d sql:$1 -D -n dotnet-devcert
    certutil -d sql:$1 -A -t "CP,," -n dotnet-devcert -i $CRTFILE
}

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $KEYFILE -out $CRTFILE -config $CONF_PATH --passout pass:
openssl pkcs12 -export -out $PFXFILE -inkey $KEYFILE -in $CRTFILE --passout pass:

for NSSDB in ${NSSDB_PATHS[@]}; do
    if [ -d "$NSSDB" ]; then
        configure_nssdb $NSSDB
    fi
done

#sudo rm /etc/ssl/certs/dotnet-devcert.pem
#sudo cp $CRTFILE "/usr/local/share/ca-certificates"
sudo cp $CRTFILE /etc/ca-certificates/trust-source/anchors
sudo trust extract-compat

dotnet dev-certs https --clean --import $PFXFILE -p ""

#sudo cp /var/tmp/localhost-dev-cert/dotnet-devcert.crt /etc/ca-certificates/trust-source/anchors
rm -R $TMP_PATH
uheee commented 2 years ago

EDIT: Been a while since I checked this repo. It turns out it the script is already multi-distro. You might be having a different problem.

Hey,

I am on arch-based distro's and adjusted this script to my needs some time ago. Maybe @BorisWilhelms can use what I past below to end-up with a script that works for both debian and arch based distro's.


TMP_PATH=/var/tmp/localhost-dev-cert

if [ ! -d $TMP_PATH ]; then
    mkdir $TMP_PATH
fi

KEYFILE=$TMP_PATH/dotnet-devcert.key
CRTFILE=$TMP_PATH/dotnet-devcert.crt
PFXFILE=$TMP_PATH/dotnet-devcert.pfx

NSSDB_PATHS=(
    "$HOME/.pki/nssdb"
#    "$HOME/snap/chromium/current/.pki/nssdb"
#    "$HOME/snap/postman/current/.pki/nssdb"
)

CONF_PATH=$TMP_PATH/localhost.conf

cat >> $CONF_PATH <<EOF
[req]
prompt                  = no
default_bits            = 2048
distinguished_name      = subject
req_extensions          = req_ext
x509_extensions         = x509_ext

[ subject ]
commonName              = localhost

[req_ext]
basicConstraints        = critical, CA:true
subjectAltName          = @alt_names

[x509_ext]
basicConstraints        = critical, CA:true
keyUsage                = critical, keyCertSign, cRLSign, digitalSignature,keyEncipherment
extendedKeyUsage        = critical, serverAuth
subjectAltName          = critical, @alt_names
1.3.6.1.4.1.311.84.1.1  = ASN1:UTF8String:ASP.NET Core HTTPS development certificate # Needed to get it imported by dotnet dev-certs

[alt_names]
DNS.1                   = localhost
EOF

function configure_nssdb() {
    echo "Configuring nssdb for $1"
    certutil -d sql:$1 -D -n dotnet-devcert
    certutil -d sql:$1 -A -t "CP,," -n dotnet-devcert -i $CRTFILE
}

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $KEYFILE -out $CRTFILE -config $CONF_PATH --passout pass:
openssl pkcs12 -export -out $PFXFILE -inkey $KEYFILE -in $CRTFILE --passout pass:

for NSSDB in ${NSSDB_PATHS[@]}; do
    if [ -d "$NSSDB" ]; then
        configure_nssdb $NSSDB
    fi
done

#sudo rm /etc/ssl/certs/dotnet-devcert.pem
#sudo cp $CRTFILE "/usr/local/share/ca-certificates"
sudo cp $CRTFILE /etc/ca-certificates/trust-source/anchors
sudo trust extract-compat

dotnet dev-certs https --clean --import $PFXFILE -p ""

#sudo cp /var/tmp/localhost-dev-cert/dotnet-devcert.crt /etc/ca-certificates/trust-source/anchors
rm -R $TMP_PATH

It does not work for me. Is it because curl and .NET HttpClient do not recognize PKCS11 certificates?

BorisWilhelms commented 2 years ago

I cannot reproduce this issue. Since this issue is quite old, I will close it. Feel free to open a new issue if you have any problems.