search

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.8k stars 3.41k forks source link

Opendict Certificate fail at X509CopyWithPrivateKey at macOS Sequoia #20920

Open thebigkhaled opened 1 day ago

thebigkhaled commented 1 day ago

Is there an existing issue for this?

Description

I’m encountering an issue with a newly generated project after updating to macOS Sequoia (15). After completing the migration successfully, the problem arises when attempting to run the project. Initially, I had trouble with .NET certificate generation, but I was able to resolve that by following the workaround for CertificateRequest.CreateSelfSigned on macOS Sequoia.

CertificateRequest.CreateSelfSigned fails on macOS Sequoia

Even after successfully generating the development certificate, I’m still encountering an error related to the opendict certificate. I suspect this is due to macOS Sequoia’s updated security policies. While the workaround works fine for .NET APIs, it doesn’t seem to resolve the issue for Abp projects.

.NET is expected to release an emergency update in October to address this problem, but in the meantime, does anyone have suggestions for a fix ?

Exception thrown: 'Volo.Abp.AbpInitializationException' in System.Private.CoreLib.dll: 'An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=8.3.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.'

 Inner exceptions found, see $exception in variables window for more details.
 Innermost exception     Interop.AppleCrypto.AppleCommonCryptoCryptographicException : The specified item is no longer valid. It may have been deleted from the keychain.
   at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain)
   at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey)
   at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey)
   at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.<ConfigureServicesAsync>d__29.MoveNext()

Reproduction Steps

  1. Generate new application using cli on macOS sequoia. 

    abp new newApp -csf -u angular -m react-native --skip-migrations --skip-migrator -d ef -cs Server=Server=localhost,1433;User ID=SA;Password=Pass@1234;Database=MainDB;Encrypt=false;TrustServerCertificate=true;

  2. Run migration and then run the app

Expected behavior

No response

Actual behavior

No response

Regression?

No response

Known Workarounds

1. download the tar.gz version of nightly build of upcoming dotnet, can be found in [package-table.md](https://github.com/dotnet/sdk/blob/main/documentation/package-table.md)
2. Unpack it
3. Go to that unpacked folder
4. Run ./dotnet dev-certs https --trust (it's important to use ./ otherwise it use the installed dotnet)

Version

8.3.1

User Interface

React Native

Database Provider

EF Core (Default)

Tiered or separate authentication server

Tiered

Operation System

macOS

Other information

No response

thebigkhaled commented 1 day ago

I found a workaround solution to use the production certificate running dotnet dev-certs https -v -ep openiddict.pfx -p db1e01bd-e51c-4345-8255-c789e345940a --trust then change the environment to production in 

        if (true)
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
            {
                serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "db1e01bd-e51c-4345-8255-c789e345940a");
                serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }
faresbouzayen commented 1 day ago

Update to the Latest .NET SDK: Ensure you are using the latest .NET SDK that might have fixes for macOS Sequoia issues. Regularly check the official .NET GitHub repository for updates.

Modify Configuration:

If using the workaround with the production certificate, make sure to set the environment correctly in your configuration: csharp Copy code if (true) { PreConfigure(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; });

PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
    serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "db1e01bd-e51c-4345-8255-c789e345940a");
    serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});

} File a Detailed Bug Report: If not already done, consider filing a bug report on the .NET repository, including all the details and your findings. This can help improve future updates and potentially address your issue more promptly.

Community Support: Engage with the ABP community or relevant forums for any potential fixes or shared experiences from other developers facing similar issues.

Review Keychain Access: Since the error indicates that the certificate may have been deleted from the keychain, ensure that the certificate exists and is accessible in your macOS Keychain. You may need to re-add it if it's missing.