Bypass invalid SSL-checks for Nswag CLI / MsBuild

[RasmusWesterlundh]

We're using NSwag.MSBuild as part of our build process to update and generate clients from OpenAPI specs before building new versions. Some of these OAPI specs are published on servers using self signed SSL-certs (test/dev servers). This breaks our build process as Nswag CLI currently cant bypass SSL checks and fails with:

Executing file 'generation/dto.nswag' with variables 'Configuration=Debug'... System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

This was fixed for Nswag studio here https://github.com/RicoSuter/NJsonSchema/issues/908 - any chance of enabling an optional SSL bypass for CLI aswell?

[RicoSuter]

I'm not very keen on disabling security... as a workaround you can download the file outside of the CLI for now (e.g. via powershell) and pass it in via relative path.

What do you think @jeremyVignelles?

[jeremyVignelles]

I'm not in favor of an "disable SSL checks" option, but open for a "select certificate" option.

Advanced scenarios might want to download the file as you suggested, but I don't know if there is any difference between a local json file and a file downloaded by NSwag directly

[FinHorsley]

I'm not in favor of an "disable SSL checks" option, but open for a "select certificate" option.

If this was an optional parameter (disabled by default) would this still be a security problem? Similar to @RasmusWesterlundh we have multiple test/dev systems that use self-signed certificates, and being able to just bypass certificate validation would be easier than having to select certificates for each

[J-Sek]

I'm not in favor of...

Sure, whatever. Unfortunately it is not yet that straightforward to make everyone "trust" dotnet certificates on local environment on Linux. I went with one of the solutions and put necessary files in ~/.pki/nssdb. So my browser is not making problems.

How do I force NSwag CLI to use the same information and trust my self-signed certificate?

[hisuwh]

@RasmusWesterlundh @J-Sek did either of you find a solution/workaround to this.

We've just changed our app to use WebApplication.CreateBuilder and now experiencing this

[J-Sek]

did either of you find a solution/workaround to this.

chrome://flags » Allow invalid certificates for resources loaded from localhost.

...and you only need to ignore red "Not secure" in the address bar

[hisuwh]

Chrome flags aren't going to help in the nswag CLI

[J-Sek]

Chrome flags aren't going to help in the nswag CLI

Oh.. yeah, sorry. It's been a while and I forgot that this problem has 2 layers. You can check my notes I follow every time I setup new environment.