Closed Annny-Cap-Daniel closed 1 month ago
@Annny-Cap-Daniel Can you please try again with the --verbose
flag? It won't fix the problem, but it should provide more information about what's going wrong. Please run dotnet dev-certs https --clean --verbose
and then dotnet dev-certs https --verbose
.
Thanks for your prompt reply!
dotnet dev-certs https --clean --verbose
outputs:
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
[1] Listing certificates from CurrentUser\My
[2] Found certificates: no certificates
[6] Finished listing certificates.
[8] Filtered certificates: no certificates
[9] Excluded certificates: no certificates
HTTPS development certificates successfully removed from the machine.
and dotnet dev-certs https --verbose
outputs:
[1] Listing certificates from CurrentUser\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[1] Listing certificates from CurrentUser\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[1] Listing certificates from LocalMachine\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[8] Filtered certificates: no certificates
[9] Excluded certificates: no certificates
[16] No valid certificates found.
[17] Generating HTTPS development certificate.
[19] An error has occurred generating the certificate: Interop+AppleCrypto+AppleCommonCryptoCryptographicException: The specified item is no longer valid. It may have been deleted from the keychain.
at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey)
at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.CreateSelfSignedCertificate(X500DistinguishedName subject, IEnumerable`1 extensions, DateTimeOffset notBefore, DateTimeOffset notAfter)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.EnsureAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, String path, Boolean trust, Boolean includePrivateKey, String password, CertificateKeyExportFormat keyExportFormat, Boolean isInteractive).
There was an error creating the HTTPS developer certificate.
I'm getting the same thing. Same exact output.
@sh0knah Are you also on Sequoia? I think we had some other cert problems when 14.4.4 came out, so it could be a system API change that we need to react to.
@vcsjones Could this be another change on Apple's end?
Possibly relevant: https://github.com/dotnet/aspnetcore/issues/19590#issuecomment-881652003
I am on Sequoia. Beta 7.
What happens if you run this console app?
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
var subject = new X500DistinguishedName("CN=localhost");
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
var keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, critical: true);
var enhancedKeyUsage = new X509EnhancedKeyUsageExtension(
[ new Oid("1.3.6.1.5.5.7.3.1", "Server Authentication") ],
critical: true);
var basicConstraints = new X509BasicConstraintsExtension(
certificateAuthority: false,
hasPathLengthConstraint: false,
pathLengthConstraint: 0,
critical: true);
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(basicConstraints);
request.CertificateExtensions.Add(keyUsage);
request.CertificateExtensions.Add(enhancedKeyUsage);
request.CertificateExtensions.Add(sanBuilder.Build());
var notBefore = DateTimeOffset.UtcNow.AddDays(1);
var notAfter = notBefore.AddDays(1);
using var cert = request.CreateSelfSigned(notBefore, notAfter);
Console.WriteLine(cert is not null);
It creates a cert that's similar to the dev cert without all the extra baggage of being a dotnet tool.
I'm on MacOS Sequoia (15.0 Beta 24A5327a).
Just ran the sample console app and get the same exception as in the dotnet tool:
Interop+AppleCrypto+AppleCommonCryptoCryptographicException: The specified item is no longer valid. It may have been deleted from the keychain.
at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey)
at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)
at Program.<Main>$(String[] args) in /Users/user/Projects/ConsoleApp1/ConsoleApp1/Program.cs:line 28
And what if you change this?
-certificateAuthority: false,
+certificateAuthority: true,
same exception unfortunately.
same exception unfortunately.
That's actually good news because it means they haven't decided they don't like the slightly unusual shape of our certificate.
Moving this to dotnet/runtime
now that there's a repro not involving aspnetcore.
I don't know when we're going to have a chance to look at this (not "indefinitely far", but probably "at least several days away"). We have a few small fires to deal with for the .NET 9 release on already in-market OSes, and are super-saturated on those tasks.
If anyone from the community at large wants to jump in and help debug what's going on, that'd be appreciated.
first try enabling verbose logging to get more detailed error messages using
export DOTNET_CLI_TELEMETRY_OPTOUT=1
export DOTNET_MULTILEVEL_LOOKUP=0
dotnet dev-certs https --trust --verbose
and several common troubleshooting steps would include to clear existing certificates manually or you use the security
command to list and delete any certificates related to localhost or dotnet
security find-certificate -a
security delete-certificate -c "ASP.NET Core HTTPS development certificate"
also did you ensure that your user account has the necessary permissions to access the keychain, tried creating a certificate manually using openssl ?
same problem: Mac OS Sequoia Version 15.0 Beta (24A5327a)
dotnet dev-certs https --trust --verbose
[1] Listing certificates from CurrentUser\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'security add-trusted-cert -p basic -p ssl -k <
[1] Listing certificates from CurrentUser\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[1] Listing certificates from LocalMachine\My
[2] Found certificates: no certificates
[3] Checking certificates validity
[4] Valid certificates: no certificates
[5] Invalid certificates: no certificates
[6] Finished listing certificates.
[8] Filtered certificates: no certificates
[9] Excluded certificates: no certificates
[16] No valid certificates found.
[17] Generating HTTPS development certificate.
[19]
An error has occurred generating the certificate: Interop+AppleCrypto+AppleCommonCryptoCryptographicException: The specified item is no longer valid. It may have been deleted from the keychain.
at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey)
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey)
at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.CreateSelfSignedCertificate(X500DistinguishedName subject, IEnumerable1 extensions, DateTimeOffset notBefore, DateTimeOffset notAfter) at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter) at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.EnsureAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, String path, Boolean trust, Boolean includePrivateKey, String password, CertificateKeyExportFormat keyExportFormat, Boolean isInteractive). There was an error creating the HTTPS developer certificate.
This almost certainly looks like another lifetime issue. I should be able to take a look by the end of the week.
Before I get to it, any chance someone can try on .NET 9 preview 7 (or later)?
Okay, curiosity took over so I had a peek.
The "good news" is that our unit tests fail and reproduce the issue:
Interop+AppleCrypto+AppleCommonCryptoCryptographicException : The specified item is no longer valid. It may have been deleted from the keychain.
Stack Trace:
at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain) in /Users/vcsjones/Projects/runtime/src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.X509.macOS.cs:line 279
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AppleCertificatePal.Keys.macOS.cs:line 199
at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AppleCertificatePal.Keys.macOS.cs:line 131
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSACertificateExtensions.cs:line 53
at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRequest.cs:line 519
at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CertificateRequestChainTests.CreateAndTestChain(AsymmetricAlgorithm rootPrivKey, AsymmetricAlgorithm intermed1PrivKey, AsymmetricAlgorithm intermed2PrivKey, AsymmetricAlgorithm leafPubKey) in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/CertificateRequestChainTests.cs:line 388
at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CertificateRequestChainTests.CreateChain_RSA() in /Users/vcsjones/Projects/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/CertificateRequestChainTests.cs:line 43
The other "good news" is that this is the only thing that fails on macOS 15.
This is a behavioral change for macOS 15. I have a fix put up for it, but unfortunately there are no reasonable work around at the moment.
The core of the issue is that X509Certificate2.CopyWithPrivateKey
does not work for RSA/ECDSA when the private key is an ephemeral key that was created or imported in to the internal Algorithm.Create()
. On macOS, that is SecurityTransforms
.
CertificateRequest
uses this API itself, which is why it fails.
Envoyé de mon iPhone
Le 27 août 2024 à 19:01, Larry Ewing @.***> a écrit :
Closed #106775https://github.com/dotnet/runtime/issues/106775 as completed via #106973https://github.com/dotnet/runtime/pull/106973.
— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/runtime/issues/106775#event-14031453259, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUW2LQ266QG4O27TVL2OUBTZTSPGPAVCNFSM6AAAAABM4TNM5SVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJUGAZTCNBVGMZDKOI. You are receiving this because you are subscribed to this thread.Message ID: @.***>
@lewing @vcsjones Just confirming, this is not getting fixed in RC1?
@adityamandaleeka the fix is not present in the release/9.0-rc1
branch, so no.
Hey same error MacOs Sequoia final version!
Hey same error MacOs Sequoia final version!
Yep. This will be fixed in the October patch cycle for .NET. See the corresponding announcement for additional information.
Any update or workaround here? Our team is blocked because of this. Should we just reinstall the old version of Mac OS just to have this command work? dotnet dev-certs https --trust
I am not aware of any work arounds. If downgrading is an option, that seems reasonable. The only other option would be to wait until the October release of .NET.
This shouldn't be closed until there is a release out the door. And someone internal should be making the call to release an emergency patch release .402 that fixes this.
This shouldn't be closed until there is a release out the door. And someone internal should be making the call to release an emergency patch release .402 that fixes this.
Agreed. Otherwise pointing to some documented steps on how to manually generate the certification and import it using the dotnet CLI would be better than a "wait until the October update train" hand-waive.
We don't all have the luxury of not upgrading to Apple's latest OS because we're not all just dotnet developers.
So all the users of the modern Mac OS is blocked from using .net and you just tell to wait for the October release? Guys, it looks like a critical issue and the fix should be deployed in hours, not even days...
Dont think its the best but it works for the time being. Generating a self signed crt + key, convert it to a pfx and then configure the app to use that
appsettings.Development.json
"Kestrel": {
"Endpoints": {
"Https": {
"Url": "https://localhost:7209",
"Certificate": {
"Path": "../Certs/localhost.pfx",
}
}
}
}
At least i can now continue development.
Dont think its the best but it works for the time being. Generating a self signed crt + key, convert it to a pfx and then configure the app to use that
appsettings.Development.json
"Kestrel": { "Endpoints": { "Https": { "Url": "https://localhost:7209", "Certificate": { "Path": "../Certs/localhost.pfx", } } } }
At least i can now continue development.
it helps me to run webapp (but I had to add config in the Program.cs) but I still can't make requests from android emulator. I am shocked that this issue was closed and that's it, wait until November
Workaround that worked for me:
./dotnet dev-certs https --trust
(it's important to use ./
otherwise it use the installed dotnet
)After that it ask for password install the certificate and debugging of my 8.0 app works again.
@pvasek Thank you mate, that worked for me too, only thing I had to quarantine the folder, I have SIP enabled and all macOS wanted to do was complain about it being untrusted 🙄
xattr -d com.apple.quarantine -r dotnet-sdk-9.0.100-rc.2.24473.20-osx-arm64 cd dotnet-sdk-9.0.100-rc.2.24473.20-osx-arm64 ./dotnet dev-certs https --trust
@kalebzettl @pvasek Thanks, that worked for me. Here's a consolidated instruction set:
Just in case, delete any certs that currently exist. Open a terminal and run: dotnet dev-certs https --clean
Download the tar.gz
file of the "main" release from the .NET SDK package table. You can also access the links directly below.
Unpack the downloaded file.
Remove the quarantine attribute from the unpacked folder. From your terminal run: xattr -d com.apple.quarantine -r <folderName>
Replace <folderName>
with the name of your unpacked folder. For example: xattr -d com.apple.quarantine -r dotnet-sdk-9.0.100-rc.2.24473.22-osx-arm64
Navigate to the unpacked folder: cd dotnet-sdk-9.0.100-rc.2.24473.22-osx-arm64
From within this folder, run the following to generate and trust the certificate. ./dotnet dev-certs https --trust
Update: repro app here
Is there an existing issue for this?
Describe the bug
the command
dotnet dev-certs https
fails with the error:There was an error creating the HTTPS developer certificate.
Exception:
What I already tried:
dotnet dev-certs https --clean
Nothing changed the behaviour and i still get the same error.
Expected Behavior
the certificate should be created.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.401
Anything else?