How to run 'dotnet dev-certs https --trust'?

后端 未结 3 1091
臣服心动
臣服心动 2020-11-29 08:19

I\'m new in ASP.NET.

Environment:

  • Ubuntu 18.04

  • Visual Studio Code

  • .NET SDK 2.2.105

I\'m in troubl

相关标签:
3条回答
  • 2020-11-29 08:36

    For Chrome:

    1. Click "Not Secure" in address bar.
    2. Click Certificate.
    3. Click Details.
    4. Click Export.

    Run: certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n {FILE_NAME} -i {FILE_NAME}

    Restart Chrome.

    0 讨论(0)
  • 2020-11-29 08:53

    On Ubuntu the standard mechanism would be:

    • dotnet dev-certs https -v to generate a self-signed cert
    • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
    • copy localhost.crt to /usr/local/share/ca-certificates
    • trust the certificate using sudo update-ca-certificates
    • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
    • verify if it's trusted using openssl verify localhost.crt

    Unfortunately this does not work:

    • dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
    $ openssl verify localhost.crt
    CN = localhost
    error 20 at 0 depth lookup: unable to get local issuer certificate
    error localhost.crt: verification failed
    
    • due to that it's impossible to have a dotnet client trust the certificate

    Workaround: (tested on Openssl 1.1.1c)

    1. manually generate self-signed cert
    2. trust this cert
    3. force your application to use this cert

    In detail:

    1. manually generate self-signed cert:

      • create localhost.conf file with the following content:
    [req]
    default_bits       = 2048
    default_keyfile    = localhost.key
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    x509_extensions    = v3_ca
    
    [req_distinguished_name]
    commonName                  = Common Name (e.g. server FQDN or YOUR name)
    commonName_default          = localhost
    commonName_max              = 64
    
    [req_ext]
    subjectAltName = @alt_names
    
    [v3_ca]
    subjectAltName = @alt_names
    basicConstraints = critical, CA:false
    keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
    
    [alt_names]
    DNS.1   = localhost
    DNS.2   = 127.0.0.1
    
    • generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
    • convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
    • (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
    • as it's not trusted yet using openssl verify localhost.crt should fail with
    CN = localhost
    error 18 at 0 depth lookup: self signed certificate
    error localhost.crt: verification failed
    
    1. trust this cert:

      • copy localhost.crt to /usr/local/share/ca-certificates
      • trust the certificate using sudo update-ca-certificates
      • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
      • verifying the cert without the CAfile option should work now
    $ openssl verify localhost.crt 
    localhost.crt: OK
    
    1. force your application to use this cert

      • update your appsettings.json with the following settings:
    "Kestrel": {
      "Certificates": {
        "Default": {
          "Path": "localhost.pfx",
          "Password": ""
        }
      }
    }
    
    0 讨论(0)
  • 2020-11-29 08:59

    Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.

    It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.

    0 讨论(0)
提交回复
热议问题