New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Https] dotnet dev-certs --trust
support on Linux
#32842
Comments
Thanks for contacting us. We're moving this issue to the |
I got bit by this, just today. I'm trying to get OAuth 2.0 and OpenID to work between two local aspnetcore services, using IdentityServer4, and I'm getting certificate chain errors. https://stackoverflow.com/questions/67910658/how-do-i-trust-dotnets-dev-cert-in-linux I can't speak to how many others are trying to do what I am, but I at least am having this issue, and it would be nice if the problem was fixed. |
I can confirm that I am also having this issue. |
This worked nicely for me: I'm on Ubuntu 20.04. I was having trouble getting Identity authentication to work on our project, that said the docs really need an update. I spent a ridiculous amount of time not understanding what I was doing wrong, in fact I still can't get Firefox on Ubuntu 20.04 to fully trust the certs (the top-left lock still shows an exclamation mark but the authentication now works, Chrome seems to be fine). Here are the links to the docs: There should at least be a note on there that says there is known issue with |
Hello, and do you have any solution for the manjaro? |
I got it working for Manjaro with the following script. I didn't do it for FireFox because I mainly use Chromium, so you may have to figure that part out. # Create cert
dotnet dev-certs https
# Export cert to current directory
dotnet dev-certs https -ep localhost.crt --format PEM
# Trust Chromium based browsers
sudo -E dotnet dev-certs https -ep /usr/share/ca-certificates/aspnet/https.crt --format PEM
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /usr/share/ca-certificates/trust-source/anchors/aspnethttps.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /usr/share/ca-certificates/trust-source/anchors/aspnethttps.crt
# Trust wget
sudo cp localhost.crt /usr/share/ca-certificates/trust-source/anchors/aspnetcore-https-localhost.pem
sudo update-ca-trust extract
# Trust dotnet-to-dotnet
sudo cp localhost.crt /etc/ssl/certs/aspnetcore-https-localhost.pem
# Remove cert from current directory
rm localhost.crt |
Any updates for this? |
Hi |
@meirkr we already have this working on a branch. Unfortunately, we do not think we will have time to ensure it has the quality to make it into .NET 7.0 https://github.com/dotnet/aspnetcore/tree/javiercn/dev-certs-linux-trust |
Tried running the script above on Redhat 9 with no success for firefox, I can confirm it works with chromium. |
add |
This comment was marked as off-topic.
This comment was marked as off-topic.
@trendzetter please refrain from posting profanity here. |
ok, let me rephrase this. this is why you should avoid microsoft products or services at all cost because it always results in monopolistic behavior. First the claim is "cross platform" and then they make you sneakily fail on other platforms by including some hidden nasties. They will never improve. |
What are you going on about? This issue exists specifically to address the problem and develop a solution. Microsoft should somehow be avoided because this didn't make it into .NET 7 but will be in .NET 8? That is absurd. Did you provide any possible solutions to them instead of conspiracy theories? |
@trendzetter while I appreciate you have your opinions of our products and work, posting comments such as you are on this issue is off topic and not advancing the resolution of this issue in any way. |
Could we get some distros available for .NET 7 and/or having it with a « preview » flag so we know that we can face some limitations and wait for .NET 8 to stabilize the whole implementation ? We will be able to use it for testing purpose and give you some feedbacks during .NET 8 dev timeframe. |
@YohanSciubukgian unfortunately it was/is too late in the development cycle to get this into 7.0.0, but it's something on the list for .NET 8 which you could try previews of once available. |
(Using Windows with Linux Containers via Docker Deskop + WSL2. Testing with 2 simple aspnet core APIs in docker-compose, 1 making an https call to the other via HttpClient.) I've gone down this rabbit hole for a couple days now. Even if you skip the dotnet dev-certs tools and use openSSL to create a compatible dotnet localhost dev-cert with the special markers, get that .pfx trusted in Windows, and then get the accompanying .crt loaded into and trusted by the container at runtime, API --> API communication is still fundamentally broken. In short, is it true to state that we can get host-to-container SSL trust to work (i.e. chrome website and direct api call), but not for container-to-container trust (i.e. API calling another API)? |
The general problem is that each distro's way of updating system trust is different, particularly with regard to getting it to apply to all tools. That's the reason that we don't enable writing to the LocalMachine\Root store on Linux. If the |
Honestly given the fragmentation and no standard way to do it I wouldn't do it at all. |
Yeah, I thought that at first and had to retract that statement after thinking better. However, students will hop over to Linux as I once did and want to develop there. The certificate is just to help prevent a scare and bypass the browser security prompt. Little things like that lead up to phycological blocks in creativity. Even I still get spooked when Visual Studio or Rider prompts to add to the firewall, lol. It's a tick. It doesn't need to go in the root stores, just the users' profiles. Although I don't know about Dotnet-to-Dotnet situations. |
https://matrix.to/#/#nss:mozilla.org |
For Debian, had to add the following to update-ca-certificates, otherwise dotnet to dotnet did not work with
Full script:
|
Just a heads up, if anyone faces the same issue I had (Linux Mint) Everything was working fine for quite a while after following the above instructions. One day, however, Edge and Chrome just stopped trusting the cert. Firefox still worked. After reading this guide: https://learn.microsoft.com/en-gb/aspnet/core/security/enforcing-ssl?view=aspnetcore-7.0&tabs=visual-studio%2Clinux-ubuntu#linux-certificate-not-trusted I was given the clue that somehow the file permissions on -- |
@blowdart it's not like you'd have to cover every meme distro out there. Handling Fedora, Debian and Ubuntu would be enough for 99% of us. |
After running into this issue while trying out Aspire on Linux, I put some work into a .NET tool that sets up a development cert on Linux. You can find it here: https://github.com/tmds/linux-dev-certs/. It should work on Fedora, Debian and Ubuntu. To use it:
|
Thanks, @tmds! We're actually planning to revisit this in 9.0. Solving the problem in general remains infeasible, but we should be able to add built-in support for at least Chromium/Firefox/curl on Fedora/Ubuntu/Debian. |
#55335 or something like it is likely to be part of this work. |
@amcasey here is my earlier attempt to make this command work on Linux: #33279. It probably has code you can use. I did get some feedback against using a CA certificate: https://twitter.com/tomdeseyn/status/1390590053953462272. You probably also want .NET itself to trust the development certificate so it can talk to .NET services in an ASP.NET Aspire orchestration. |
Doesnt work for me on Ubuntu 24.04 |
You can create an issue in the repo. Please add some details as to what is not trusted. I verified it with Ubuntu 22.02. For browsers, only the snap-based Firefox browser is expected to work. |
OK, I was trying it in Edge |
Feel free to create an issue for it, and I'll look into it when I find some time. |
That's exactly the situation that I'm currently facing. The new preview of Aspire (Preview 6) requires a cert all the way. I can't get the dev cert to be trusted on my Fedora 40 machine. Any help regarding this would be greatly appreciated. |
@tmds Doh! I did try it, but didn't restart my machine. After the restart it works flawlessly, sorry for the fuss. |
Related Epic #41990
The different flavors of Linux are the only place where
--trust
is not supported for dotnet dev-certs. We had an issue on openssl blocking this in the past that prevented dotnet-to-dotnet trust. Now that the issue has been solved and that distros are updating their openssl versions to newer versions without the original issue that was blocking us, we can consider adding support for trust across supported distros.Our support Matrix looks as follows (taken from here):
Open SSL status across versions
For the distros that don't meet the openssl version requirement, a new openssl version can be installed in most cases (at the users risk/judgement), either from an existing package available for the distro or downloading openssl and compiling it from source. I validated this across a few distros as follows:
yum
source and getting it from there.experimental
package available for 1.1.1k in Open SUSE 15.2Hard Freeze
and will be released likely this year. I only had to setup the apt sources for it to work. It already contains a new enough version.Each distro that we want to support should be considered to have the cost of supporting and maintaining entire new OS, since we have to support specific environment variations and test functionality on each of them.
For each distro we need to support:
--clean
to remove the trusted certificates.--check
to determine if the certificate is trusted in all the places we care about--trust
to apply the necessary changes in the environment to make the certificate trusted.In addition to that, we need to make sure that all the tools and libraries we need are present on the OS, have the right version and are available on the path:
For each distro we need come up with a list of instructions to setup the machine and create a VM image we can leverage for regression testing. We need to capture the instructions for doing the following:
Prepare the VM to be shared with the team (we should be able to do so as described here
Once all the software is installed on the given distro,
--trust
,--check
,--clean
must work on 3 areas:Firefox: Can be configured via an enterprise policy or via
certutil
, we need to determine the best way to do this. The user profile is in `~/,mozilla and we can find the default there.Edge/Chrome: Can be configured via
certutil
at~/.pki/certificates
dotnet runtime: Can be configured by dropping the certificate in the openssl folder.
--check
aspnetcore-localhost-https-{sha256-certificate-hash}.pem
in the openssl certificates folder--trust
aspnetcore-localhost-https-{sha256-certificate-hash}.pem
--clean
aspnetcore-localhost-https-
or use certutil to remove all certificates that matchaspnetcore-localhost-https-
from the profile databaseaspnetcore-localhost-https-
from the databaseaspnetcore-localhost-https-
from the openssl certificates directory.There are slight variations that we need to account for across distros. Ideally we don't want those things to show up in our code, since it will create a hard to maintain mess. To that matter, we will create a manifest for each distro/version with all the important details about the distro to drive all the operations and embed them in the dev-certs assembly.
When a command is run on Linux, we will try and recover the manifest by convention
(<<distro>>.<<version>>.manifest.json)
and will use the details there to drive the action.The contents of the manifest are yet TBD, in its most simple form they can contain scripts that we can put on a temp file,
chmod +x
the file, run from the process and get a result back to determine the result of the operation. An alternative is to include details on per distro path locations and so on and have dotnet use that to drive the operation.For example
dotnet dev-certs https --trust --check
can read the openssl directory location, get the current trusted certificate and check that there is a file with the right name at the openssl certs directory, read the cert and ensure it matches the one in the store.Onboarding a new distro/version involves the following steps:
For reference, here are some scripts that cover many distros and that can be used as a starting point. The only one completely missing is Alpine, where the install experience just gives you a prompt and you have to run scripts to install everything else. In that case, we likely only need to figure out the work for trusting the cert by openssl since its very likely only used in container environments
CentOS (This likely works for RHEL too)
Fedora
OpenSUSE (This likely works for SLES too)
Ubuntu (This likely works for Debian too)
The text was updated successfully, but these errors were encountered: