The remote certificate is invalid according to the validation procedure

[kfrancis]

Describe the bug

I'm just trying to follow the getting started procedure, but can't view the site once I get through the tutorial because of an SSL localhost issue.

To Reproduce

1. Follow this tutorial: https://github.com/dotnet/tye/blob/master/docs/tutorials/hello-tye/00_run_locally.md
2. On step 8, try and browse frontend

Got Exceptions? Include both the message and the stack trace

System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslStream.ThrowIfExceptional()
   at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

Further technical details

Tye Version: 0.1.0-alpha.20209.5+e3fc0045bd1e5913da935241874761929f1e8465
Platform: Microsoft Windows [Version 10.0.18363.720]

[davidfowl]

If you hit the backend manually in your browser on the HTTPS port, does it work or do you get a warning?

[kfrancis]

@davidfowl Just a 404, but I think that's expected.

[brendandburns]

@davidfowl I'm seeing this also on Ubuntu 18.04.

[brendandburns]

fwiw, hitting the backend directly also shows an invalid certificate.

Chrome/Edgeium doesn't show a big obvious invalid cert warning on a 404 for whatever reason.

[jkotalik]

The only thing I can think of is regenerating the dotnet dev certs. Can you try running

dotnet dev-certs https --clean
dotnet dev-certs https
dotnet dev-certs https --trust

Besides that, I'm not sure; I'd need to investigate this via repro'ing it. Putting this on the 0.2 milestone.

[brendandburns]

dotnet dev-certs https --trust doesn't appear to be a valid command.

[davidfowl]

fwiw, hitting the backend directly also shows an invalid certificate.

OK good this is what I expected. This is a gap with linux and .NET in general unfortunately...

dotnet dev-certs https --trust doesn't appear to be a valid command.

Yes @spboyer ran into this as well. Let me dig up the docs for this...

[jkotalik]

TIL dotnet dev-certs https --trust isn't a command on linux.

[brendandburns]

@davidfowl the docs here:

https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#troubleshoot-certificate-problems

Are busted as they indicate that dotnet dev-certs https --trust is available on all platforms.

[davidfowl]

OK I looked into this a bit and the story is very complicated for linux. Even worse is that our docs don't give any hint that it is (that's being fixed). I found the same crazy stackoverflow link you did...

I'm going to make sure some of this gets documented for ubuntu on the ASP.NET Core docs...

[brendandburns]

fwiw, credit to @jkotalik for sending me the stack overflow doc.

[brendandburns]

Might want to hold off merging this, as adding the pfx file breaks the Kubernetes deployment since it doesn't package the cert as a secret for the backend pod.