HTTPS requests fail with "The ASP.NET Core developer certificate is in an invalid state."

[georgiyordanov]

Describe the bug

Migrated an aspnet core app from .Net Core 2.2 to .Net Core 3.1 and now requests to the app fail with

 The ASP.NET Core developer certificate is in an invalid state. To fix this issue, run the following commands 'dotnet dev-certs https --clean' and 'dotnet dev-certs https' to remove all existing ASP.NET Core development certificates and create a new untrusted developer certificate. On macOS or Windows, use 'dotnet dev-certs https --trust' to trust the new certificate.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+AppleCrypto+SslException: Internal error
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
fail: Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware[3]

Things I tried without success:

1. dotnet dev-certs https --clean, dotnet dev-certs https and dotnet dev-certs https --trust as described in the exception

2. manually deleting the certificates from the keychain and the running dotnet dev-certs https --trust

3. uninstalling all .net versions with dotnet-core-uninstall tool and installing only .Net Core 3.1 then repeating 1) and 2)

I tried to debug the framework code and the underlying exception in CertificateManager.CheckDeveloperCertificateKey is

The operation couldn’t be completed. (OSStatus error -2147416032 - CSSMERR_CSP_OPERATION_AUTH_DENIED)

It look like this may be related to #17581

To Reproduce

dotnet new mvc
dotnet run
open "https://localhost:5001/"

Further technical details

• ASP.NET Core version

3.10

• Include the output of dotnet --info

⇒  dotnet --info 
.NET Core SDK (reflecting any global.json):
 Version:   3.1.100
 Commit:    cd82f021f4

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.13
 OS Platform: Darwin
 RID:         osx.10.13-x64
 Base Path:   /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support):
  Version: 3.1.0
  Commit:  65f04fb6db

.NET Core SDKs installed:
  3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

• The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version

Happens in terminal with dotnet run and in VS Code as well.

VS Code version:

Version: 1.41.1
Commit: 26076a4de974ead31f97692a0d32f90d735645c0
Date: 2019-12-18T14:57:51.166Z
Electron: 6.1.5
Chrome: 76.0.3809.146
Node.js: 12.4.0
V8: 7.6.303.31-electron.0
OS: Darwin x64 17.7.0

[analogrelay]

It look like this may be related to #17581

It shouldn't be, that's only need for macOS Catalina (10.15).

@javiercn do you know what might be going on here?

[javiercn]

@anurse it could be.

Try adding

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

[rmcwhae]

Adding <UseAppHost>false</UseAppHost> fixed it for me (following the same steps as the OP to reproduce the issue, with new certificates).

Output of dotnet --info:

.NET Core SDK (reflecting any global.json):
 Version:   3.1.100
 Commit:    cd82f021f4

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.15
 OS Platform: Darwin
 RID:         osx.10.15-x64
 Base Path:   /usr/local/share/dotnet/sdk/3.1.100/

Host (useful for support):
  Version: 3.1.0
  Commit:  65f04fb6db

.NET Core SDKs installed:
  3.1.100 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.8 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

[javiercn]

This is the notarization issue on OS X. This is a known issue and we are working on a fix.

[javiercn]

We can close this as it’s a dupe.

[georgiyordanov]

I can confirm that <UseAppHost>false</UseAppHost> fixed the issue for me as well. Thanks!

[analogrelay]

Ok, closing this then. We're very well aware of issues with certificates on macOS Catalina and are working on a fix. The workaround @javiercn indicated should help resolve this issue while we fix the underlying problem.

[SkymanOne]

@anurse it could be.

Try adding

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

to see if that fixes the issue with dotnet run.

Works for me. It seems like the problem hasn’t been fixed in .net core 3.1.101 build though

[jacknugent]

FYI, the solution:

<PropertyGroup>
  <UseAppHost>false</UseAppHost>
</PropertyGroup>

Worked for me on Catalina only. It did not work on Mojave.

Does anyone know why this solution works?

[joshpearce]

Is this an issue with the dev certificate generation/installation or in the SslStream class? Because I get this same error when using an HttpClient to make an HTTPS request to a local aspnet core app or to any HTTPS URL when using the Burp proxy, which requires installing a root cert in the keychain.

I'm just wondering if I need to open a bug with PortSwigger about this, or if the fix in .NET core will take care of it.

[javiercn]

Hi.

It looks like you are posting on a closed issue!

We're very likely to lose track of your bug/feedback/question unless you:

1. Open a new issue
2. Explain very clearly what you need help with
3. If you think you have found a bug, include detailed repro steps so that we can investigate the problem

[joshpearce]

@javiercn:

I have dotnet 3.1.102 installed on macOS Mojave 10.14.6.

I have self signed SSL certificates installed in my Keychain. Chrome and Safari are fine with these certificates. But, when I make an HTTP request in C#, using dotnet core, to a website that uses one of those certs, I get a very similar stack trace to the one in this issue, where System.Net.Security.SslStream.StartSendAuthResetSignal ultimately throws an exception stating, "the remote certificate is invalid according to the validation procedure."

I'm asking here, since the "dup" issue doesn't really explain the problem in a way that I understand.

My question is: Is #17581 about dotnet core being unable to read or utilize self-signed certs that are added to the keychain? Or do I have a novel issue?

[gitleet]

I want to run with just HTTP not HTTPS.
I added the property group and it still fails with an error.
I'm running 10.13.6 (High Sierra)

dotnet 3.0.1

In startup I have commented out app.UseHttpsRedirection();.
I added the property group in my project <UseAppHost>false</UseAppHost>.

Any tips?