When I try to call an API method using identityserver4, I tried before on Windows and it is working fine only in Mac OS I faced this issue and I don´t know what is happened and
Dotnet dev-certs don't work on Linux or Mac.
That is because the dev-tools issue an incorrect root certificate.
Windows apparently accepts incorrect root certificates...
What you need to do is this:
if (hostingEnvironment.IsDevelopment())
{
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
(sender, certificate, chain, sslPolicyErrors) => true;
}
Or you can write a more complex Validation-Callback, that just ignores untrusted root certificates:
///
/// This is to take care of SSL certification validation which are not issued by Trusted Root CA.
///
/// The sender.
/// The certificate.
/// The chain.
/// The errors.
///
///
public static bool RemoteCertValidate(object sender
, System.Security.Cryptography.X509Certificates.X509Certificate certificate
, System.Security.Cryptography.X509Certificates.X509Chain chain
, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
// If the certificate is a valid, signed certificate, return true.
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
// Logger.Current.Error("X509Certificate [{0}] Policy Error: '{1}'", certificate.Subject, sslPolicyErrors);
// If there are errors in the certificate chain, look at each error to determine the cause.
if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
if (chain != null && chain.ChainStatus != null)
{
foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
continue;
}
else if (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NotTimeValid)
{
// Ignore Expired certificates
continue;
}
else
{
if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
{
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return false;
}
}
} // Next status
} // End if (chain != null && chain.ChainStatus != null)
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates (, or expired certificates).
// These certificates are valid for default Exchange server installations, so return true.
return true;
} // End if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
return false;
}
And add that to ServerCertificateValidationCallback:
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertValidate);