dotnet dev-certs - UntrustedRoot #41503
Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
I'm having trouble making HTTPS requests from one dotnet application to another. The request fails with the exception System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot.
I've generated a dev-cert using dotnet dev-certs https --trust. I'm running Ubuntu and have followed the instructions here. I am able to successfully make HTTPS requests to the application using curl (without --insecure flag) , and the certificate is trusted by my browsers. However, for some reason I'm not able to make requests from a dotnet application.
OpenSSL version I've installed is 1.1.1l 24 Aug 2021.
I noted there's a similar issue here. In there it was mentioned that key usage certificate signing was required. Thus I've tried to generate a certificate using this script too, but experience the same issue.
Complete stack trace:
Unhandled exception. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
at test.Program.Main(String[] args) in /home/rickard/test/Program.cs:line 14
at test.Program.<Main>(String[] args)
Output from dotnet --info:
➜ ~ dotnet --info
.NET SDK (reflecting any global.json):
Version: 6.0.202
Commit: f8a55617d2
Runtime Environment:
OS Name: ubuntu
OS Version: 21.10
OS Platform: Linux
RID: ubuntu.21.10-x64
Base Path: /usr/share/dotnet/sdk/6.0.202/
Host (useful for support):
Version: 6.0.4
Commit: be98e88c76
.NET SDKs installed:
6.0.202 [/usr/share/dotnet/sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 5.0.16 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.4 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 5.0.16 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.4 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET runtimes or SDKs:
https://aka.ms/dotnet-download
Expected Behavior
Certificate should be trusted.
Steps To Reproduce
- Generate a new dev-cert using
dotnet dev-certs https --trust. - Make sure it's trusted:
sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEMsudo update-ca-certificates
- Create one project using
dotnet new webapi. - Observe that it's possible to make HTTPS requests to the webapi using curl:
curl https://localhost:7004/weatherForecast
- Create another project using
dotnet new console. - Make a request from the console app to the webapi:
using System;
using System.Net.Http;
using System.Threading.Tasks;
namespace test
{
class Program
{
private static readonly HttpClient client = new HttpClient();
static async Task Main(string[] args)
{
await client.GetAsync("https://localhost:7004/weatherForecast");
}
}
}
- Observe that HTTPS request fails with
System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot.
Exceptions (if any)
System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
.NET Version
6.0.202
Anything else?
No response