dotnet dev-certs - UntrustedRoot

[Dunklas]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I'm having trouble making HTTPS requests from one dotnet application to another. The request fails with the exception System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot.

I've generated a dev-cert using dotnet dev-certs https --trust. I'm running Ubuntu and have followed the instructions here. I am able to successfully make HTTPS requests to the application using curl (without --insecure flag) , and the certificate is trusted by my browsers. However, for some reason I'm not able to make requests from a dotnet application.

OpenSSL version I've installed is 1.1.1l 24 Aug 2021.

I noted there's a similar issue here. In there it was mentioned that key usage certificate signing was required. Thus I've tried to generate a certificate using this script too, but experience the same issue.

Complete stack trace:

Unhandled exception. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at test.Program.Main(String[] args) in /home/rickard/test/Program.cs:line 14
   at test.Program.<Main>(String[] args)

Output from dotnet --info:

➜  ~ dotnet --info
.NET SDK (reflecting any global.json):
 Version:   6.0.202
 Commit:    f8a55617d2

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  21.10
 OS Platform: Linux
 RID:         ubuntu.21.10-x64
 Base Path:   /usr/share/dotnet/sdk/6.0.202/

Host (useful for support):
  Version: 6.0.4
  Commit:  be98e88c76

.NET SDKs installed:
  6.0.202 [/usr/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 5.0.16 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.4 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 5.0.16 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.4 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET runtimes or SDKs:
  https://aka.ms/dotnet-download

Expected Behavior

Certificate should be trusted.

Steps To Reproduce

1. Generate a new dev-cert using dotnet dev-certs https --trust.
2. Make sure it's trusted:
   • sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
   • sudo update-ca-certificates
3. Create one project using dotnet new webapi.
4. Observe that it's possible to make HTTPS requests to the webapi using curl:
   • curl https://localhost:7004/weatherForecast
5. Create another project using dotnet new console.
6. Make a request from the console app to the webapi:

using System;
using System.Net.Http;
using System.Threading.Tasks;

namespace test
{
    class Program
    {
        private static readonly HttpClient client = new HttpClient();

        static async Task Main(string[] args)
        {
            await client.GetAsync("https://localhost:7004/weatherForecast");
        }
    }
}

7. Observe that HTTPS request fails with System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot.

Exceptions (if any)

System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

.NET Version

6.0.202

Anything else?

No response

[Dunklas]

After running the ubuntu-script at https://github.com/BorisWilhelms/create-dotnet-devcert and rebooting my computer a few times, it seems to suddenly work fine.