Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI cert instructions: dotnet dev-certs https --trust #6066

Closed
Rick-Anderson opened this issue Apr 23, 2018 · 32 comments
Closed

CLI cert instructions: dotnet dev-certs https --trust #6066

Rick-Anderson opened this issue Apr 23, 2018 · 32 comments
Assignees
@Rick-Anderson
Milestone
Backlog

Comments

@Rick-Anderson
Copy link
Contributor

Per @guardrex #5393

Improve 'how to download' for running with HTTPS

https://docs.microsoft.com/aspnet/core/tutorials/index#how-to-download-a-sample

Possibly update section heading: How to download and run a sample

Per @scottaddie:

You should just need to run:

dotnet dev-certs https --trust

See the instructions here:

https://blogs.msdn.microsoft.com/webdev/2018/02/27/asp-net-core-2-1-https-improvements/

May also need the tool installed ...

dotnet install tool dotnet-dev-certs -g --version 2.1.0

Change "how to download" link text to "how to download and run" across the repo.

Also note that FF has required a manual step to approve the use of untrusted certs in the past.
@Rick-Anderson Rick-Anderson self-assigned this Apr 23, 2018
@Rick-Anderson
Copy link
Contributor Author

@scottaddie

@scottaddie
Copy link
Member

@Rick-Anderson I agree that's the best location to put this. We should use monikers to control what displays within that include. I did have to run that CLI command, even after installing the SDK.

@Rick-Anderson
Copy link
Contributor Author

@scottaddie

I did have to run that CLI command, even after installing the SDK.

You need to run dotnet dev-certs https --trust but not dotnet install tool dotnet-dev-certs -g --version 2.1.0 - right?

@scottaddie
Copy link
Member

@Rick-Anderson I'm only seeing a Preview 1 version of this package on NuGet: https://www.nuget.org/packages/dotnet-dev-certs. Maybe I did only have to install this global tool for Preview 1.

@blowdart Does the Preview 2 SDK installation automatically install the global dev-certs tool?

@blowdart
Copy link
Contributor

@javiercn ?

@Rick-Anderson
Copy link
Contributor Author

Rick-Anderson commented Apr 25, 2018
edited
Loading

Create any ASP.NET Core project and it's installed.
He's the output from the RC1 SDK:

ASP.NET Core

Successfully installed the ASP.NET Core HTTPS Development Certificate.
To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only). For establishing trust on other platforms please refer to the platform specific documentation.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
Getting ready...
The template "Razor Class Library" was created successfully.

@javiercn
Copy link
Member

Its an SDK tool in preview2 (comes preinstalled).
The SDK will generate the certificate on the first run experience (the first time you run a command from the terminal) but you need to trust the certificate manually.

@Rick-Anderson Rick-Anderson mentioned this issue Jul 27, 2018
Closed
@bhaidar
Copy link

bhaidar commented Jul 27, 2018

Hi,
I tried running dotnet dev-certs https --trust with no luck. When I issue the command dotnet run and go to: http://localhost:5000 I get the following at the console level:

:5001/dist/polyfills.bundle.js:1 Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
:5001/dist/vendor.bundle.js:1 Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
:5001/dist/app.bundle.js:1 Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID

I am using the latest .NET SDK 2.1.302.

Thanks

@javiercn
Copy link
Member

@bhaidar What platform are you using?

@bhaidar
Copy link

bhaidar commented Jul 28, 2018

@javiercn
Windows 10.

I trusted the certificate several times with no luck. I had to restart my PC and now it works!

Thanks

@javiercn
Copy link
Member

@bhaidar Ah, that’s likely because you had the browser open and it caches the cert, so in order for the new trust settings to kick in, you need to close all browser windows.

Closing this issue as there’s no further action to be taken here.

@Rick-Anderson
Copy link
Contributor Author

@scottaddie this is probably worth adding to the doc

Ah, that’s likely because you had the browser open and it caches the cert, so in order for the new trust settings to kick in, you need to close all browser windows.

@bhaidar
Copy link

bhaidar commented Jul 30, 2018

@Rick-Anderson @scottaddie @javiercn
But still, on Ubuntu 18.04, I can't use the --trust argument.

When I create a new development self-signed certificate, I couldn't find any resource online how to trust the certificate on Ubuntu. So, with a dev certificate, I have to Add Exception for the website to open.

@Rick-Anderson
Copy link
Contributor Author

on Ubuntu 18.04, I can't use the --trust argument.

Why can't you?

@javiercn
Copy link
Member

@Rick-Anderson @bhaidar There is no general trust store on Linux. The best we can do is allow you to export the certificate into a CRT file. With that, you should follow the specific instructions/steps in your distribution to trust the certificate. All that matters is whatever trust roots your browser uses for validating the cert. In windows browsers normally use the windows trust roots, in mac they use key chain.

@Rick-Anderson
Copy link
Contributor Author

@javiercn what's the priority for the following issue
Create a page describing how to setup HTTPS #3310 ?
cc @scottaddie

@javiercn
Copy link
Member

@Rick-Anderson @danroth27 Is the person to answer that question

@danroth27
Copy link
Member

#3310 It's pretty important given that enabling HTTPS was a major theme for the 2.1 release.

@guardrex
Copy link
Collaborator

There's also this one, which I don't think was cross-referenced into #3310 ...

Expand scope of the Enforce HTTPS article #6538

I'll guess that there's overlap. If so, I recommend one of us work the whole subject.

@bhaidar
Copy link

bhaidar commented Jul 30, 2018

@danroth27 @Rick-Anderson @javiercn
Thanks every one! I am actually preparing a module for Microsoft where I need to demonstrate running an app on Ubuntu. For now, I can run the app, but I have to click on Add Exception on Firefox to allow me to run the app with SSL.

Allowing the developer to export a CRT file would be great!

But say, that the CRT is exported and registered on Ubuntu, does that require any additional code in the Program.cs file to locate that certificate?

Thanks

@javiercn
Copy link
Member

@bhaidar the trust is for the browser (client), not for the server.

Btw, Firefox is going to give you a hard time independently of the OS. They have their own rules for self-signed certificates and we haven’t found a way to workaround adding an exception.

@bhaidar
Copy link

bhaidar commented Jul 30, 2018 via email

@Rick-Anderson
Copy link
Contributor Author

@bhaidar no - FF specifically. Try using FF on windows, it doesn't recognize our cert while all the other major browsers do.

@nickwalkmsft
Copy link
Contributor

nickwalkmsft commented Jul 30, 2018
edited
Loading

I was just walking through the VS Code/Razor Pages getting started doc. After updating from SDK 2.1.200 to 2.1.302 so that dotnet new webapp would work, I created a new app and did dotnet run and was hit with a cert error page due to the new addition of app.UseHttpsRedirection() in the default templates.

I'm usually a read-all-the-warnings-and-messages kind of person, but I had that mental switch turned off since I was simply updating to a new point release of the SDK and jumping back into the same workflow I had just been messing around with. If there was a message anywhere about running the needed incantation to trust the dev certs I missed it. I ended up finding it here, in this thread.

It seems like this needs a common include across all the starter tutorials near the top, similar to the one that helped me get dotnet new webapp working (here).

@bhaidar
Copy link

bhaidar commented Jul 30, 2018 via email

@javiercn
Copy link
Member

@nickwalkmsft The CLI will install the certificate and display a message on the first run experience. (The first time you run a command from the command line).
Additionally, visual studio will proactively prompt you if you want to trust the certificate when it detects you are running a project that is configured to use HTTPS in development.

@natalie-o-perret
Copy link

@bhaidar out of curiosity how did you manage to add (and even before that find where the is the development certificate on Ubuntu) created with dotnet dev-certs https?

@seangwright
Copy link
Contributor

It seems it might be possible to get a self-signed cert working with Firefox but there are additional steps to take beyond just creating the certificate.

https://bugzilla.mozilla.org/show_bug.cgi?id=1452411#c1

the correct approach is:

  • create your own self-signed CA
  • create an EE (end entity) cert request with "CN=localhost" or whatever domain name you want
  • let that EE cert request sign with your CA created in the first step -> you get your server EE cert
  • add that CA as trusted for web site identification to Firefox
  • use the EE cert on your localhost server

Then there is no need to add exceptions at all. You can use OpenSSL or NSS tools.

@tiesmaster
Copy link

@seangwright Thanks for the link to the Firefox bug! Thought, I'm not able to get it working (not well enough versed with this). Do you have some more details steps (or perhaps an external blog post that you've followed)?

I'd like to get this working locally, but also put in a PR for the docs to make it easier for other people ;)

@seangwright
Copy link
Contributor

@tiesmaster I started down the path of configuring this and defining the steps for our devs... but there were too many moving pieces to justify it over just using Chrome.

I don't like this solution but it's the one I'm living with for the time being.

@tiesmaster
Copy link

@seangwright Ah, no worries. I already went along with adding an exception for the specific API (localhost + port), until I got this sorted, and I was pleasantly surprised that it worked for the entire hostname (localhost:*), as opposed to the authority (localhost:N).

So all my APIs I'm working on, work straight away, which is really nice. I still like to get the other approach working, but it's less of a prio for me atm.

@seangwright
Copy link
Contributor

@tiesmaster Interesting - I hadn't tried localhost:* - I'll check that out.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rick-Anderson Rick-Anderson

Labels
None yet
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests