2

I am developing a web api and a web app locally. I am having trouble calling the web api from the web app.

When I call it I keep getting the error: "The remote certificate is invalid according to the validation procedure."

Both apps are built with ASP.Net Core and are running on kestrel. The webapp is callable as https://mylibrary.com:5003 and the Web API is callable as https://api.mylibrary.com:5001.

How can I get them working together with valid certificates?

Edit: Come to realise that the issue is that the apps are using localhost certs by default. I want to be able to use my own self signed cert.

If someone can point me to somewhere that explains how to set up two apps to use a self-signed certificate in .net core web projects please do :)

radulfr
  • 114
  • 3
  • 13
  • have you tried enable cors? – gadasadox Jan 27 '20 at 07:55
  • didn't help, thanks anyway. – radulfr Jan 27 '20 at 08:11
  • have you installed the dev-certificates locally? (`dotnet dev-certs https --trust`) – Riscie Jan 27 '20 at 08:40
  • Yep. I deleted them and reinstalled them just in case. – radulfr Jan 27 '20 at 08:41
  • in your browser, open an api-endpoint and have a look at the certificate. it should give you some insights to why the certificate is invalid and what certifiacate is being used. Also: What OS are you developing on? – Riscie Jan 27 '20 at 08:42
  • @radulfr what are you trying to achive here? is the caller app build with asp .net core too or is it a frontend client (e.g angular, reacts)? – gadasadox Jan 27 '20 at 09:10
  • @Riscie Chrome says the cert is invalid due to being to common name. I am now trying to created and set up the apps to use my own self signed certificates. – radulfr Jan 31 '20 at 10:13
  • @Riscie if you can point me to somewhere that explains how to set up two apps to use a self-signed certificate in .net core web projects please do :) – radulfr Jan 31 '20 at 11:22
  • well actually your dev certificates should be used automatically. Did you go trough these troubleshooting steps: https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#troubleshoot-certificate-problems ? – Riscie Jan 31 '20 at 12:55
  • @Riscie Still getting the SSL issue. – radulfr Feb 01 '20 at 01:48
  • removing the url alias and calling the api as localhost prevents the ssl issue. Is there a way I can get https://api.mylibrary.com:5001/ to work? – radulfr Feb 01 '20 at 02:12
  • The certs are only valid for localhost. Should have read better. Did you add these addresses to your hosts file? – Riscie Feb 01 '20 at 09:27
  • Yes I did. as an alias for 127.0.0.1 – radulfr Feb 01 '20 at 09:57

2 Answers2

2

If you need to work around the cert validation using HttpClient, you could do it by creating a HttpClientHandler and passing it to HttpClient as per Rohit Jangid's answer to The SSL connection could not be established

HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };

// Pass the handler to httpclient(from you are calling api)
HttpClient client = new HttpClient(clientHandler)

Avoid accidentally circumventing certificate validation in production by checking if it is in development environment:

HttpClient httpClient = new HttpClient();
if (env.IsDevelopment())
{
    HttpClientHandler clientHandler = new HttpClientHandler();
    clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, ssl) => { return true; };

    httpClient = new HttpClient(clientHandler);
}

Inject information about webhostenvironment by injecting it in the handler/action:

public async Task OnGet([FromServices] IWebHostEnvironment env)
hashten
  • 149
  • 1
  • 9
0

Please try to use RestSharp library to make the webapi request and set the cert validation to true. see here

or you can install the dotnet dev certs by executing dotnet dev-certs https --trust in a command promt or powershell

gadasadox
  • 109
  • 1
  • 9
  • He is making the requests from his frontend. Why are you suggesting using RestSharp? – Riscie Jan 27 '20 at 09:06
  • he says "Both apps are built with ASP.Net Core". am i missing something here? – gadasadox Jan 27 '20 at 09:08
  • That's true. But why would your solution help him with the certificate issues? The library used for the rest calls should have nothing to do with the problem that the certificates are not being trusted. – Riscie Jan 27 '20 at 09:09
  • he needs to override the certificate validation callback, thats why i suggest him to use restsharp (it's easier). take a look at my gist. he can achieve this with regular httpclient too, i just haven't test that way yet. – gadasadox Jan 27 '20 at 09:15
  • I would argue it would be a better approach to solve the root cause of the certificate trust issues, instead of overwriting validation logic. Before doing so, he would be better advices to turn `https` off and use the api without ssl. Or am I maybe misunderstanding what you suggest here? – Riscie Jan 27 '20 at 09:18
  • he is in a dev environment, and asp .net core api uses https by default it's a certificate (self sign) that were used by kestrel. – gadasadox Jan 27 '20 at 09:29
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/206697/discussion-between-gadasadox-and-riscie). – gadasadox Jan 27 '20 at 09:31