Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot trust development https certificate in ubuntu 18.04.2 LTS #10174

Closed
opensas opened this issue May 11, 2019 · 1 comment
Closed

cannot trust development https certificate in ubuntu 18.04.2 LTS #10174

opensas opened this issue May 11, 2019 · 1 comment
Labels
area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-devcerts

Comments

@opensas
Copy link

opensas commented May 11, 2019

Describe the bug

Cannot trust development https certificate in ubuntu 18.04.2 LTS
A clear and concise description of what the bug is.

To Reproduce

  1. Create a rest api project and try to acces the https endpoint using curl
$ dotnet new angular

$ curl -I -X GET 'https://localhost:5001/api/SampleData/WeatherForecasts'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This is what I tried to do to add the certificate

# export netcore development certificate
$ dotnet dev-certs https -ep ~/tmp/localhost.pfx -p somepassword

# convert it to crt
$ openssl pkcs12 -in ~/tmp/localhost.pfx -clcerts -nokeys -out ~/tmp/localhost.crt

# copy to a folder in /usr/local/share/ca-certificates/ 
$ cd /usr/local/share/ca-certificates/
$ sudo mkdir dotnet_devel
$ sudo chmod -R 755 dotnet_devel
$ mkdir dotnet_devel
$ cd dotnet_devel
$ sudo cp ~/tmp/localhost.crt .
$ sudo chmod -R 644 localhost.crt

# update CA trusted certificates repository
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:localhost.pem
done.
done.

also tried setting the CURL_CA_BUNDLE env var like this:

$ export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/dotnet_devel/localhost.crt

I keep getting the same curl error, more over, firefox and chrome tells me the connection is not secure

I think it is very necessary to provide and official guide telling how to configure it, at least in debian, arch and fedora based, with those distro yo have covered most cases.

Expected behaviour

curl should be able to access the https endpoint, browsers should not complain

Additional context

$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.2.203
 Commit:    e5bab63eca

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  18.04
 OS Platform: Linux
 RID:         ubuntu.18.04-x64
 Base Path:   /home/sas/devel/opt/dotnet-2_2_203/sdk/2.2.203/

Host (useful for support):
  Version: 2.2.4
  Commit:  f95848e524

.NET Core SDKs installed:
  2.2.203 [/home/sas/devel/opt/dotnet-2_2_203/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.2.4 [/home/sas/devel/opt/dotnet-2_2_203/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.2.4 [/home/sas/devel/opt/dotnet-2_2_203/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.2.4 [/home/sas/devel/opt/dotnet-2_2_203/shared/Microsoft.NETCore.App]

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

References

https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line/649463#649463

#7246 (comment)

https://curl.haxx.se/docs/sslcerts.html

@Eilon Eilon added the area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI label May 13, 2019
@mkArtakMSFT
Copy link
Member

Thanks for contacting us. There is no native trust support in Linux and that's why the trust command is not supported there.

@ghost ghost locked as resolved and limited conversation to collaborators Mar 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-devcerts
Projects
None yet
Development

No branches or pull requests

3 participants