Aspnetcore: HTTPS requests fail with "The ASP.NET Core developer certificate is in an invalid state."

Created on 9 Jan 2020  Â·  13Comments  Â·  Source: dotnet/aspnetcore

Describe the bug

Migrated an aspnet core app from .Net Core 2.2 to .Net Core 3.1 and now requests to the app fail with

 The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+AppleCrypto+SslException: Internal error
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
fail: Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware[3]

Things I tried without success:

1) dotnet dev-certs https --clean, dotnet dev-certs https and dotnet dev-certs https --trust as described in the exception

2) manually deleting the certificates from the keychain and the running dotnet dev-certs https --trust

3) uninstalling all .net versions with dotnet-core-uninstall tool and installing only .Net Core 3.1 then repeating 1) and 2)

I tried to debug the framework code and the underlying exception in CertificateManager.CheckDeveloperCertificateKey is

The operation couldn’t be completed. (OSStatus error -2147416032 - CSSMERR_CSP_OPERATION_AUTH_DENIED)

It look like this may be related to https://github.com/dotnet/aspnetcore/pull/17581

To Reproduce

dotnet new mvc
dotnet run
open "https://localhost:5001/"

Further technical details

  • ASP.NET Core version 
3.10
  • Include the output of dotnet --info
⇒  dotnet --info 
.NET Core SDK (reflecting any global.json):
 Version:   3.1.100
 Commit:    cd82f021f4

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.13
 OS Platform: Darwin
 RID:         osx.10.13-x64
 Base Path:   /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support):
  Version: 3.1.0
  Commit:  65f04fb6db

.NET Core SDKs installed:
  3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
  • The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version

Happens in terminal with dotnet run and in VS Code as well.

VS Code version:

Version: 1.41.1
Commit: 26076a4de974ead31f97692a0d32f90d735645c0
Date: 2019-12-18T14:57:51.166Z
Electron: 6.1.5
Chrome: 76.0.3809.146
Node.js: 12.4.0
V8: 7.6.303.31-electron.0
OS: Darwin x64 17.7.0
Duplicate Resolved area-servers
Source
picture georgiyordanov

Most helpful comment

@anurse it could be.

Try adding 

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

picture javiercn on 10 Jan 2020
👍6

All 13 comments

It look like this may be related to #17581

It shouldn't be, that's only need for macOS Catalina (10.15).

@javiercn do you know what might be going on here?

anurse picture anurse on 10 Jan 2020

@anurse it could be.

Try adding 

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

javiercn picture javiercn on 10 Jan 2020
👍6

Adding <UseAppHost>false</UseAppHost> fixed it for me (following the same steps as the OP to reproduce the issue, with new certificates).

Output of dotnet --info:
```➜ dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 3.1.100
Commit: cd82f021f4

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.15
OS Platform: Darwin
RID: osx.10.15-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support):
Version: 3.1.0
Commit: 65f04fb6db

.NET Core SDKs installed:
3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 2.2.8 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
```

rmcwhae picture rmcwhae on 10 Jan 2020

This is the notarization issue on OS X. This is a known issue and we are working on a fix.

javiercn picture javiercn on 10 Jan 2020

We can close this as it’s a dupe.

javiercn picture javiercn on 10 Jan 2020

I can confirm that <UseAppHost>false</UseAppHost> fixed the issue for me as well. Thanks!

georgiyordanov picture georgiyordanov on 11 Jan 2020

Ok, closing this then. We're very well aware of issues with certificates on macOS Catalina and are working on a fix. The workaround @javiercn indicated should help resolve this issue while we fix the underlying problem.

anurse picture anurse on 13 Jan 2020

@anurse it could be.

Try adding

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

Works for me. It seems like the problem hasn’t been fixed in .net core 3.1.101 build though

SkymanOne picture SkymanOne on 3 Feb 2020
👍2

FYI, the solution: 

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

Worked for me on Catalina only. It did not work on Mojave.

Does anyone know why this solution works?

jacknugent picture jacknugent on 26 Feb 2020
👍1

Is this an issue with the dev certificate generation/installation or in the SslStream class? Because I get this same error when using an HttpClient to make an HTTPS request to a local aspnet core app or to any HTTPS URL when using the Burp proxy, which requires installing a root cert in the keychain.

I'm just wondering if I need to open a bug with PortSwigger about this, or if the fix in .NET core will take care of it.

joshpearce picture joshpearce on 2 Mar 2020

Hi.

It looks like you are posting on a closed issue!

We're very likely to lose track of your bug/feedback/question unless you:

  1. Open a new issue
  2. Explain very clearly what you need help with
  3. If you think you have found a bug, include detailed repro steps so that we can investigate the problem
javiercn picture javiercn on 3 Mar 2020

@javiercn:

I have dotnet 3.1.102 installed on macOS Mojave 10.14.6.

I have self signed SSL certificates installed in my Keychain. Chrome and Safari are fine with these certificates. But, when I make an HTTP request in C#, using dotnet core, to a website that uses one of those certs, I get a very similar stack trace to the one in this issue, where System.Net.Security.SslStream.StartSendAuthResetSignal ultimately throws an exception stating, "the remote certificate is invalid according to the validation procedure."

I'm asking here, since the "dup" issue doesn't really explain the problem in a way that I understand.

My question is: Is #17581 about dotnet core being unable to read or utilize self-signed certs that are added to the keychain? Or do I have a novel issue?

joshpearce picture joshpearce on 3 Mar 2020

I want to run with just HTTP not HTTPS.
I added the property group and it still fails with an error.
I'm running 10.13.6 (High Sierra)

dotnet 3.0.1

In startup I have commented out app.UseHttpsRedirection();.
I added the property group in my project <UseAppHost>false</UseAppHost>.

Any tips?

gitleet picture gitleet on 18 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rbanks54 picture rbanks54  Â·  3Comments
ipinak picture ipinak  Â·  3Comments
farhadibehnam picture farhadibehnam  Â·  3Comments
FourLeafClover picture FourLeafClover  Â·  3Comments
fayezmm picture fayezmm  Â·  3Comments