search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.35k stars 9.99k forks source link

HTTPS requests fail with "The ASP.NET Core developer certificate is in an invalid state." #18236

Closed georgiyordanov closed 4 years ago

georgiyordanov commented 4 years ago

Describe the bug

Migrated an aspnet core app from .Net Core 2.2 to .Net Core 3.1 and now requests to the app fail with

 The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+AppleCrypto+SslException: Internal error
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
fail: Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware[3]

Things I tried without success:

1) dotnet dev-certs https --clean, dotnet dev-certs https and dotnet dev-certs https --trust as described in the exception

2) manually deleting the certificates from the keychain and the running dotnet dev-certs https --trust

3) uninstalling all .net versions with dotnet-core-uninstall tool and installing only .Net Core 3.1 then repeating 1) and 2)

I tried to debug the framework code and the underlying exception in CertificateManager.CheckDeveloperCertificateKey is

The operation couldn’t be completed. (OSStatus error -2147416032 - CSSMERR_CSP_OPERATION_AUTH_DENIED)

It look like this may be related to https://github.com/dotnet/aspnetcore/pull/17581

To Reproduce

dotnet new mvc
dotnet run
open "https://localhost:5001/"

Further technical details

Runtime Environment: OS Name: Mac OS X OS Version: 10.13 OS Platform: Darwin RID: osx.10.13-x64 Base Path: /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support): Version: 3.1.0 Commit: 65f04fb6db

.NET Core SDKs installed: 3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed: Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download

- The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version

Happens in terminal with `dotnet run` and in VS Code as well.

VS Code version:

Version: 1.41.1 Commit: 26076a4de974ead31f97692a0d32f90d735645c0 Date: 2019-12-18T14:57:51.166Z Electron: 6.1.5 Chrome: 76.0.3809.146 Node.js: 12.4.0 V8: 7.6.303.31-electron.0 OS: Darwin x64 17.7.0

analogrelay commented 4 years ago

It look like this may be related to #17581

It shouldn't be, that's only need for macOS Catalina (10.15).

@javiercn do you know what might be going on here?

javiercn commented 4 years ago

@anurse it could be.

Try adding 

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

rmcwhae commented 4 years ago

Adding <UseAppHost>false</UseAppHost> fixed it for me (following the same steps as the OP to reproduce the issue, with new certificates).

Output of dotnet --info:

.NET Core SDK (reflecting any global.json):
 Version:   3.1.100
 Commit:    cd82f021f4

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.15
 OS Platform: Darwin
 RID:         osx.10.15-x64
 Base Path:   /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support):
  Version: 3.1.0
  Commit:  65f04fb6db

.NET Core SDKs installed:
  3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.8 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
javiercn commented 4 years ago

This is the notarization issue on OS X. This is a known issue and we are working on a fix.

javiercn commented 4 years ago

We can close this as it’s a dupe.

georgiyordanov commented 4 years ago

I can confirm that <UseAppHost>false</UseAppHost> fixed the issue for me as well. Thanks!

analogrelay commented 4 years ago

Ok, closing this then. We're very well aware of issues with certificates on macOS Catalina and are working on a fix. The workaround @javiercn indicated should help resolve this issue while we fix the underlying problem.

SkymanOne commented 4 years ago

@anurse it could be.

Try adding

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

Works for me. It seems like the problem hasn’t been fixed in .net core 3.1.101 build though

jacknugent commented 4 years ago

FYI, the solution: 

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

Worked for me on Catalina only. It did not work on Mojave.

Does anyone know why this solution works?

joshpearce commented 4 years ago

Is this an issue with the dev certificate generation/installation or in the SslStream class? Because I get this same error when using an HttpClient to make an HTTPS request to a local aspnet core app or to any HTTPS URL when using the Burp proxy, which requires installing a root cert in the keychain.

I'm just wondering if I need to open a bug with PortSwigger about this, or if the fix in .NET core will take care of it.

javiercn commented 4 years ago

Hi.

It looks like you are posting on a closed issue!

We're very likely to lose track of your bug/feedback/question unless you:

  1. Open a new issue
  2. Explain very clearly what you need help with
  3. If you think you have found a bug, include detailed repro steps so that we can investigate the problem
joshpearce commented 4 years ago

@javiercn:

I have dotnet 3.1.102 installed on macOS Mojave 10.14.6.

I have self signed SSL certificates installed in my Keychain. Chrome and Safari are fine with these certificates. But, when I make an HTTP request in C#, using dotnet core, to a website that uses one of those certs, I get a very similar stack trace to the one in this issue, where System.Net.Security.SslStream.StartSendAuthResetSignal ultimately throws an exception stating, "the remote certificate is invalid according to the validation procedure."

I'm asking here, since the "dup" issue doesn't really explain the problem in a way that I understand.

My question is: Is #17581 about dotnet core being unable to read or utilize self-signed certs that are added to the keychain? Or do I have a novel issue?

gitleet commented 4 years ago

I want to run with just HTTP not HTTPS. I added the property group and it still fails with an error. I'm running 10.13.6 (High Sierra)

dotnet 3.0.1

In startup I have commented out app.UseHttpsRedirection();. I added the property group in my project <UseAppHost>false</UseAppHost>.

Any tips?