More HTTPS

[javiercn]

• Make sure .NET Core can trust our cert on Linux.
• Make sure Edge can trust our cert on Linux.
• Runtime support for ACME

[ghost]

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[Pilchie]

Going to mark this as a duplicate of #4712

[javiercn]

I think that issue only covers point 3

[DamianEdwards]

Relevant comment pointing to a script that creates a cert, trusts it for Chrome, .NET Server->Server, SDK, etc. on Ubuntu #7246 (comment)

[javiercn]

@DamianEdwards I got this to work on Ubuntu 20.04 in all browsers (FF, Chrome, Edge) and between dotnet instances with a recent openssl version.

Install the latest letter version of openssl 1.1.1 (K for example)
This is the guide that I followed to do this https://medium.com/@brunoosiek/updating-openssl-latest-and-greatest-version-in-ubuntu-18-04-8f10ba4e2377

when you are done openssl version should produce 1.1.1K or bigger.

Export the certificate and update the certificate store

sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/aspnetcore.crt --format PEM
sudo update-ca-certificates

Trust the certificate in edge/chromium like browsers

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i aspnetcore-https.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i aspnetcore-https.crt

Trust the certificate in firefox
Create a file:
/usr/lib/firefox/distribution/policies.json
And add the following contents

{
    "policies": {
        "Certificates": {
            "Install": [
                "/usr/share/ca-certificates/aspnet/aspnetcore-https.crt"
            ]
        }
    }
}

The image above shows the browsers visiting an API endpoint that queries another API with HttpClient for the data and the results are displayed in the three browsers

[jkotalik]

@javiercn I went through the instructions you posted, here is what I hit. Using Ubuntu 18.04 LTS VM without a browser (using wget to verify for now).

I updated openssl to 1.1.1k. This took around 20 minutes total. Automating this could be useful for users, but updating openssl in general can be a security concern.

I needed sudo for mkdir /usr/share/ca-certificates/aspnet and cp aspnetcore-https.crt /usr/share/ca-certificates/aspnet

Running sudo dpkg-reconfigure ca-certificates brought up a window with a bunch of certs on it. What do I need to do on that window? I just selected all certs there.

Finally, running certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i aspnetcore-https.crt failed for me saying certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

I ran wget against the running server and I still get an error:

Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:5001... connected.
ERROR: cannot verify localhost's certificate, issued by ‘CN=localhost’:
  Self-signed certificate encountered.
To connect to localhost insecurely, use `--no-check-certificate'.

Not sure if the instructions are supposed to handle wget rather than just browsers.

[javiercn]

@jkotalik thanks for taking this for a spin!

Automating this could be useful for users, but updating openssl in general can be a security concern.

The next ubuntu LTS due in a couple of weeks already has a recent enough version.

I needed sudo for mkdir /usr/share/ca-certificates/aspnet and cp aspnetcore-https.crt /usr/share/ca-certificates/aspnet

Running sudo dpkg-reconfigure ca-certificates brought up a window with a bunch of certs on it. What do I need to do on that window? I just selected all certs there.

Good point here, these need to run with sudo.

When the screen is presented you need to make sure to select the aspnet/aspnetcore-https certificate (all of them should already be marked).

Finally, running certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i aspnetcore-https.crt failed for me saying certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Do you have Chrome installed on the machine? If not, that's likely the issue. is there a folder in $HOME/.pki/nssdb? I was running on Ubuntu 20.04, so that might be the issue.

Thanks for trying it out!

[javiercn]

@jkotalik I ended up verifying from a clean ubuntu installation.

The steps work, I think wget doesn't pick the right openssl version ca authorities, however curl works without issue

[javiercn]

If you create two APIs, and change the weatherforecast controller in one to return data from the other one via

        [HttpGet]
        public Task<string> Get()
        {
            new System.Net.Http.HttpClient().GetStringAsync("https://localhost:5003/weatherforecast");
        }

and then run them with
(frontend) dotnet run -- --urls=https://localhost:5001
(backend) dotnet run -- --urls=https://localhost:5003

and run curl https://localhost:5001/weatherforecast it works.

[daniellwdb]

@javiercn Do you have any idea what to do at the last step you mentioned: "Trust the certificate in firefox" when all the steps were done on WSL2 Ubuntu 20.04 but Firefox is installed on Windows?

[javiercn]

@daniellwdb follow the guidance here

[daniellwdb]

@javiercn Thank you, I successfully created the policies.json file in specified location, however I'm not sure how to reference the certificate from WSL2

{
    "policies": {
        "Certificates": {
            "Install": [
                "\\wsl$\\Ubuntu-20.04\\usr\\share\\ca-certificates\\aspnet\\aspnetcore-https.crt"
            ]
        }
    }
}

Seems like Firefox can't pick it up like this (same with / to separate paths)

[javiercn]

@daniellwdb for wsl I would follow the following steps

1. Ensure a recent openssl version in your wsl distro (1.1.1h and onwards)
2. Export the certificate from the windows machine with dotnet dev-certs https -ep https.pfx --password <<some-password>>.
3. Copy the file to the wsl partition and import it via dotnet dev-certs https --import ... (check the args to the tool)
4. Run the same steps described above to make .NET Core on wsl trust the cert for dotnet-to-dotnet communication

dotnet dev-certs https -ep aspnetcore-https.crt --format PEM
mkdir /usr/share/ca-certificates/aspnet
cp aspnetcore-https.crt /usr/share/ca-certificates/aspnet

5. On windows create a policy at C:\Program Files\Mozilla Firefox\distribution\policies.json or wherever you have installed firefox

{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true | false
    }
  }
}

If you do the last step firefox should trust your dev certificate provided you trusted it on windows. With steps 2 and 3 you make sure wsl uses the same cert as your windows machine

[daniellwdb]

@javiercn Thank you, this is a nice issue for reference, following all steps + WSL2 steps above I still end up with

❯ dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design
  Determining projects to restore...
  Writing /tmp/tmpqsnDnO.tmp
info : Adding PackageReference for package 'Microsoft.VisualStudio.Web.CodeGeneration.Design' into project '/home/daniell/TodoApi/TodoApi.csproj'.
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error:   The SSL connection could not be established, see inner exception.
error:   The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

Just trying to work my way through the web API tutorial on WSL. Please let me know if this is out of the scope of this issue, HTTPS on Firefox is working fine at https://localhost:5001

[javiercn]

@daniellwdb What dotnet version are you using?

[daniellwdb]

@daniellwdb What dotnet version are you using?

5.0.202

[javiercn]

@daniellwdb It might be that you are running into NuGet/Announcements#49

[javiercn]

There's a better way to do this

sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/aspnetcore.crt --format PEM
sudo update-ca-certificates

[javiercn]

I'm closing this issue as done now since we have docs issues filed up waiting to be worked on and the bit about letsencrypt is covered by #4712

dotnet/AspNetCore.Docs#22019
dotnet/AspNetCore.Docs#22020
dotnet/AspNetCore.Docs#22021