How to run 'dotnet dev-certs https --trust'?

问题

I'm new in ASP.NET.

Environment:

Ubuntu 18.04
Visual Studio Code
.NET SDK 2.2.105

I'm in trouble with some command running.

I was reading tutorial at

https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code

and ran this command:

dotnet dev-certs https --trust

I expect https://localhost should be trusted. but I found the error message;

$ Specify --help for a list of available options and commands.

It seems that the command "dotnet dev-certs https" has no --trust options. How to resolve this problem?

回答1:

On Ubuntu the standard mechanism would be:

dotnet dev-certs https -v to generate a self-signed cert
convert the generate cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verify if it's trusted using openssl verify localhost.crt

Unfortunately this does not work:

dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:

$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed

due to that it's impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

manually generate self-signed cert
trust this cert
force your application to use this cert

In detail:

manually generate self-signed cert:
- create localhost.conf file with the following content:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
(optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
as it's not trusted yet using openssl verify localhost.crt should fail with

CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed

trust this cert:
- copy localhost.crt to /usr/local/share/ca-certificates
- trust the certificate using sudo update-ca-certificates
- verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
- verifying the cert without the CAfile option should work now

$ openssl verify localhost.crt 
localhost.crt: OK

force your application to use this cert
- update your appsettings.json with the following settings:

"Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "localhost.pfx",
      "Password": ""
    }
  }
}

回答2:

Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.

It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.