create-dotnet-devcert icon indicating copy to clipboard operation
create-dotnet-devcert copied to clipboard

Published 20 hours ago verified publisher icon BorisWilhelms

Cert not trusted, SSL Handshake Failing

Open athoma13 opened this issue 1 year ago • 5 comments

Thank you for providing a solution to this very annoying problem of setting up local dev certs - Microsoft has really dropped the ball by not considering linux in their dev-certs cli. Microsoft support referred me to your script in-fact...

I am trying to run this on Ubuntu 22.04 and .NET 7 SDK. The script executes fine and installs the certificate.

However, if I open a .net hosted site, I get a untrusted certificate warning in Chromium (snap) and Brave (also snap). I know it is the localhost cert is being used because of the dates.

Also, service-to-service SSL Handshake also fails with the following error...

[13:33:45 DBG] Failed to authenticate HTTPS connection.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0A000416:SSL routines::sslv3 alert certificate unknown
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan``1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan``1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions, SelectClientCertificate clientCertificateSelectionCallback)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)

I think it is because when I try to verify the certificate using OpenSSL, I get an error:

openssl verify /etc/ssl/certs/dotnet-devcert.pem

CN = localhost
error 18 at 0 depth lookup: self-signed certificate
error /etc/ssl/certs/dotnet-devcert.pem: verification failed

Any ideas or advice?

athoma13 avatar Apr 02 '23 03:04 athoma13

Thank you for your message.

Microsoft support referred me to your script in-fact... Hahaha, I don't if I like this or not...

Overall, I am currently not running Ubuntu, but Arch Linux. So I need to setup a VM to test this. I currently have limited time to spend, but will see if I can do something the next days.

Regarding Chromium and Brave, please check the paths in common.sh if they match your system.

BorisWilhelms avatar Apr 03 '23 15:04 BorisWilhelms

I actually tested it right now, and I am not able to reproduce this issue.

Could you please try the script from the branch 12-cert-not-trusted.

If the issue still persists, please paste the OpenSSL Version (openssl version) and the output of the script.

BorisWilhelms avatar Apr 03 '23 16:04 BorisWilhelms

Hi Boris,

Thank you for your time.... Tried and getting same behaviour.... Am I right to assume that after running your script that running an openssl verify on the cert (as above) should work?

Anyhow, here's the output of openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

athoma13 avatar Apr 03 '23 21:04 athoma13

Yes, openssl verify should work, and it does that for me in my Ubuntu VM. Your openssl version also matches mine, so I am not sure what the issue is.

Please pull the latest version of the script in this branch, run with -d arguments (e.g. ./ubuntu-create-dotnet-devcert.sh -d) and copy & paste the output here.

BorisWilhelms avatar Apr 04 '23 13:04 BorisWilhelms

I am having the same problem as @athoma13 when I run openssl verify. Below is the result when I run the script with -d:

+ DEPENDENCIES=dotnet certutil openssl
+ check_command dotnet
+ echo Checking if dotnet exists
Checking if dotnet exists
+ command -v dotnet
+ check_command certutil
+ echo Checking if certutil exists
Checking if certutil exists
+ command -v certutil
+ check_command openssl
+ echo Checking if openssl exists
Checking if openssl exists
+ command -v openssl
+ TMP_PATH=/var/tmp/localhost-dev-cert
+ [ ! -d /var/tmp/localhost-dev-cert ]
+ mkdir /var/tmp/localhost-dev-cert
+ KEYFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.key
+ CRTFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.crt
+ PFXFILE=/var/tmp/localhost-dev-cert/dotnet-devcert.pfx
+ NSSDB_PATHS=/home/tester/.pki/nssdb     /home/tester/snap/chromium/current/.pki/nssdb     /home/tester/snap/postman/current/.pki/nssdb     /home/tester/snap/brave/current/.pki/nssdb
+ CONF_PATH=/var/tmp/localhost-dev-cert/localhost.conf
+ cat
+ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/tmp/localhost-dev-cert/dotnet-devcert.key -out /var/tmp/localhost-dev-cert/dotnet-devcert.crt -config /var/tmp/localhost-dev-cert/localhost.conf --passout pass:
.........+......+.......+++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++*............+...........+.........+......+.+...+......+...........+....+..+....+........+...+...+.+...+...........+......+.+...+..+....+.....+..............................++++++
....+......+......+.....+.+..+......+++++++++++++++++++++++++++++++++++++++*.+.........+..........+......+......+..+.+.....+++++++++++++++++++++++++++++++++++++++*...........+...+..+..........+.....+.+..+.......+.....+.......+.....+.+..................+..+...+.+......+.........+.........+..+...+......+.+..+.+....................+.+......+..................+......+.....+...+...+...+....+........+..........+.....+...................+.........+.....+....+...+.........+......+.........+....................+...+.............+..................+..+............+.+.........+......+......+...+..+....+...........+...+......+.......+..+..........+..+....+............+...+..............+...+............+......+....+......+.....+.........+.+.........+...+............+..+.........+....+......+.........+........+....+...+...........+.+...+...+.........+......+...+..+.......+...+..+.....................+....+...+.....+.........+...+.............+...+.....+.........+.+.....+.......+...+......+......+.....+...+.+.........+.....+......+....+..+....+...+......+.....+.+...+...+.....+...+.........+......+.........+...+......................+..+......+...............+....+...+......+......+......+.....+.......+...+..............+..........+...+..+.+.....+.......+..+..................+..........+..+...+......+.+......+..+.+.........++++++
-----
+ openssl pkcs12 -export -out /var/tmp/localhost-dev-cert/dotnet-devcert.pfx -inkey /var/tmp/localhost-dev-cert/dotnet-devcert.key -in /var/tmp/localhost-dev-cert/dotnet-devcert.crt --passout pass:
+ [ -d /home/tester/.pki/nssdb ]
+ configure_nssdb /home/tester/.pki/nssdb
+ echo Configuring nssdb for /home/tester/.pki/nssdb
Configuring nssdb for /home/tester/.pki/nssdb
+ certutil -d sql:/home/tester/.pki/nssdb -D -n dotnet-devcert
+ certutil -d sql:/home/tester/.pki/nssdb -A -t CP,, -n dotnet-devcert -i /var/tmp/localhost-dev-cert/dotnet-devcert.crt
+ [ -d /home/tester/snap/chromium/current/.pki/nssdb ]
+ [ -d /home/tester/snap/postman/current/.pki/nssdb ]
+ [ -d /home/tester/snap/brave/current/.pki/nssdb ]
+ id -u
+ [ 1000 -ne 0 ]
+ SUDO=sudo
+ dotnet dev-certs https --clean --import /var/tmp/localhost-dev-cert/dotnet-devcert.pfx -p 
HTTPS development certificates successfully removed from the machine.
The certificate was successfully imported.
+ [ 0 = 1 ]
+ sudo rm /etc/ssl/certs/dotnet-devcert.pem
+ sudo cp /var/tmp/localhost-dev-cert/dotnet-devcert.crt /usr/local/share/ca-certificates
+ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
+ cleanup
+ rm -R /var/tmp/localhost-dev-cert

amthejohnson avatar Sep 27 '23 20:09 amthejohnson