1

I have created a trusted certificate as follows (cleaning up potential pre-junk). During that, I got the popups telling my that a gang of crazy donkeys can do evil things if this is a root cert. The last comamnd confirms that I have a working certificate. I even ran the commands twice to verify that cleaning would produce a warning too, which it did, just as expected.

dotnet dev-certs https --clean
dotnet dev-certs https --trust
dotnet dev-certs https --verbose

I haven't imported any PFX-files as my understanding is that working in development towards a localhost instance doesn't require that. That seems to be confirmed by the information in the console letting my know that the certificate is generated properly. Running dotnet dev-certs http --check produces no warnings (no confirmation neither, it's no content in the result).

The HTTPS developer certificate was generated successfully.
A valid HTTPS certificate is already present.

Then I executed a call to my token dispencer endpoint getting a reply as expected too. It comes back from a secure HTTPS on localhost:5001/connect/token and containes all the vital parts.

{
  "access_token": "eyJhbGciO...Ow7EEkA",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "myapi.read"
}

What bothers me is the warning with red icon and the text Unable to verify the first certificate.

enter image description here

I've made sure to disable SSL checking and turned off CA Certificated (althoug I haven't added any Client Certificates in that menu. Googling gives me a bunch of hits on problems related to Ubuntu and/or MacOs but I'm based on a good old Win10 so those turned out irrelevant.

Have I misunderstood the approach all together or, possibly, confused some of the concepts? If not, what can I do to trouble-shoot it further?

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • So postman can't validate the TLS cert used by your website? Does the TLS cert validate in a browser that uses the OS cert store? For example, Chrome? – Scott Brady Jul 15 '21 at 20:32
  • I'm not using any specific cert. Just the one that I add using [`dotnet dev-certs`](https://learn.microsoft.com/en-us/dotnet/core/additional-tools/self-signed-certificates-guide). Is that something that I can confirm in a browser? At any rate, the bounty needs to be awarded in less than 22 hours now... Feel free to take a wild whack. We can figure it out after the awardation. – Konrad Viltersten Jul 16 '21 at 11:33

1 Answers1

1

I dig in to this a little.

dotnet dev-certs https --trust command just creates/makes sure a new localhost certificate (with friend name ASP.NET Core HTTPS development certificate) and puts it into the trust root store.

IIS Express server however won't use it automatically. It still uses the certificate (friend name is localhost) that is created when you run the APS.NET Core web app for the first time. If this certificate is removed from trust root store you will get the cert error.

You have a few options to address this issue.

  1. Reset the IIS Express cert.

  2. Switch the cert IISExpress use to the one you just created, you can retrieve it using the PowerShell command below and following this link.

Get-ChildItem -path cert:\currentUser\My | Select-Object FriendlyName, subject, Thumbprint

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
LarryX
  • 591
  • 2
  • 7
  • Very clearly explained. It wasn't a big problem in practical terms. But currently, I'm on a war path with the IDS4 and security generally so I'm eliminating all those nice-to-have's to get a firm grip. It's going to cost me a butt load of bounties but the result is worth it. If you're good with IDS4 and chase some rep, go nuts. :) – Konrad Viltersten Jul 17 '21 at 06:15