Develop Reference

How to run 'dotnet dev-certs https --trust'?

I'm new in ASP.NET.
Environment:
Ubuntu 18.04
Visual Studio Code
.NET SDK 2.2.105
I'm in trouble with some command running.
I was reading tutorial at
https://learn.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code
and ran this command:
dotnet dev-certs https --trust
I expect https://localhost should be trusted.
but I found the error message;
$ Specify --help for a list of available options and commands.
It seems that the command "dotnet dev-certs https" has no --trust options.
How to resolve this problem?

On Ubuntu the standard mechanism would be:
dotnet dev-certs https -v to generate a self-signed cert
convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verify if it's trusted using openssl verify localhost.crt
Unfortunately this does not work:
dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed
due to that it's impossible to have a dotnet client trust the certificate
Workaround: (tested on Openssl 1.1.1c)
manually generate self-signed cert
trust this cert
force your application to use this cert
In detail:
manually generate self-signed cert:
create localhost.conf file with the following content:
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = #alt_names
[v3_ca]
subjectAltName = #alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
(optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
as it's not trusted yet using openssl verify localhost.crt should fail with
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
trust this cert:
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt
localhost.crt: OK
force your application to use this cert
update your appsettings.json with the following settings:
"Kestrel": {
"Certificates": {
"Default": {
"Path": "localhost.pfx",
"Password": ""
}
}
}

While the answer provided by #chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1 extension in the certificate.
After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.
Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu

In adition to crisvdb answer, I've several information to add and is the continuation of the walktrough. I don't comment because is pretty complex comment this, but before this answer take a look to crisvdb answer first and then return to continue.
Take the "in detail" crisdb answer.
You can make your cert in any folder, can be or can't be in the same folder of the app.
Take openssl verify -CAfile localhost.crt localhost.crt as not optional step, mandatory. It will help.
Do not recompile or touch the code meanwhile you are doing this, in order to get first scenario clean.
If you run sudo update-ca-certificates that will answer you in wich folder the certified should be copied.
In some distributions, as Raspbian for Raspberry Pi, CA certificates are located in /etc/ssl/certs as well as /usr/share/ca-certificates/ and in some cases /usr/local/share/certificates.
Do not copy the cert manually to trusted certs, run sudo update-ca-certificates after you copy the cert in the right folder. If it doesn't work (doesn't update or add any certificate) copy it to every folder possible.
If you use a password while making the certificate, you should use it in the appsettings.json
If you get this error:
Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO
routines:BIO_new_file:system lib
Take in consideration that error means "access denied". It can be because you don't have permissions or related.
7b) Could be also that the file is not found, I use the entire path in the config:
"Path": "/home/user/www/myfolder1/myapp/localhost.pfx",
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[ssl:error] [remote ::1:yourport] AH01961: SSL Proxy requested for
yoursite.com:443 but not enabled [Hint: SSLProxyEngine] [proxy:error]
AH00961: HTTPS: failed to enable ssl support for [::1]:yourport
(localhost)
you must set in the VirtualHost the following configuration after SSLEngine On and before your ProxyPass
SSLProxyEngine on
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[proxy:error] [client x.x.x.x:port] AH00898: Error during SSL
Handshake with remote server returned by /
[proxy_http:error] [client x.x.x.x:port] AH01097: pass request body failed to [::1]:port
(localhost) from x.x.x.x()
you must set in the VirtualHost the following configuration after SSLProxyEngine on and before your ProxyPass
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
UPDATE
If you are renovating this, and using the same names, take in consideration that you should remove your pem file from etc/ssl/certs
UPDATE 2
If it returns:
Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
Check that your pfx file is on 755 permissions.
If appsettings.json seems to be don't load (on port 5000 by default or SQL or any configuration doesn't load or can't be read), take in consideration that the dotnet must be executed on the same directory where is appsettings.json

Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.
It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.

For Chrome:
Click "Not Secure" in address bar.
Click Certificate.
Click Details.
Click Export.
Run: certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n {FILE_NAME} -i {FILE_NAME}
Restart Chrome.

It looks like the following could help to trust the dotnet dev certs:
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu/
Then you will see also in the browser that certificate is OK and valid for the next yeat.
Give it a try...
Good luck!

Install certificate on AndroidTV

I was needing to view the backend https requests made by my androidTV's application, but, as the calls are "https" calls I am needing to install a charles certificate (on my androidTV) to allow charles to decrypt them.
If anyone knows how to install a certificate on androidTV please tell me.
Thanks a lot!

I wrote an article on this: https://zahidrasheed.medium.com/charles-proxy-with-androidtv-fedc863e7039
TLDR;
1- Export root certificate from charles app and put it under res/raw by:
Help > SSL Proxying > Save Charles Root Certificate… and save it as charles_ssl_cert.pem file.
2- Embed the certificate in the app through network-security-config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="system" />
<certificates src="#raw/charles_ssl_cert" />
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
3- Export the root certificate again by:
Help > SSL Proxying > Export Charles Certificate and Private Key
Now share the .p12 file with users who would like to test the app. The need to:
Proxy > SSL Proxying Settings > Root Certificate > Import P12 (Enter the password you used above).

You can install SSL certs in the Android Emulator through ADB, given that you use an emulator image without Google Play Services. This will allow you to root your emulator and push the certificate to the cacerts directory in /system. This means you can install SSL certificates on AndroidTV even though there is no UI for this available in settings.
To install your certificate in the emulator, follow these steps:
Get an Android (TV) emulator without Play Services and give it a convenient name
Go to $ANDROID_HOME/emulator and run ./emulator #<emulatorname> -writable-system. If you run the emulator through Android Studio, you won't be able to mount the system partition as writable.
adb root
adb remount
openssl x509 -inform PEM -subject_hash_old -in <your certificate>.pem | head -n 1 , this will give you a hash you'll need in the following steps
Rename <your certificate>.pem to <hash>.0 (e.g. 711d79cc.0)
adb push <hash>.0 /system/etc/security/cacerts/<hash>.0
adb shell chmod 644 /system/etc/security/cacerts/<hash>.0

You can do it programmatically. See here for more details. I haven't found an option to do it from the Android TV UI unfortunately.
EDIT: Even that fails with
android.content.ActivityNotFoundException: Unable to find explicit activity class {com.android.settings/com.android.settings.CredentialStorage}; have you declared this activity in your AndroidManifest.xml?
So I don't know how to do this...

Service Fabric with nginx and .NET core services

I'm setting up a Service Fabric application which contains:
an Nginx instance as frontend (single instance, port 80)
some applications written with Asp.net core (1 website, some API services) (multiple instances, dynamic port)
a Gateway service for address resolution (single instance, port 8081)
For nginx, I'm using a solution available as Nuget package.
The gateway and, in general, the example to run .NET core app have been taken here
It is suggested by the .NET core team itself to host applications behind a real web server liken nginx.
Therefore I'd like to deploy my Service Fabric application with an instance of nginx as entry point, which redirects to the Gateway service, which will do the service resolution for the replicated stateless services.
My question is about the address that I need to use in the nginx.conf to point to the Gateway address. While trying locally, I can use the local address 127.0.0.1 and it works as expected, but what happens if on a real cluster my Nginx and Gateway instances are deployed to different machines?
This is my application manifest:
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="SFApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<Parameters>
<Parameter Name="NginxPoC_InstanceCount" DefaultValue="1" />
<Parameter Name="Gateway_InstanceCount" DefaultValue="1" />
</Parameters>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="NginxPoCPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
</Policies>
</ServiceManifestImport>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Gateway" ServiceManifestVersion="1.0.0" />
</ServiceManifestImport>
<DefaultServices>
<Service Name="NginxPoC">
<StatelessService ServiceTypeName="NginxPoCType" InstanceCount="[NginxPoC_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
<Service Name="Gateway">
<StatelessService ServiceTypeName="GatewayType" InstanceCount="[Gateway_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="Admin">
<MemberOf>
<SystemGroup Name="Administrators" />
</MemberOf>
</User>
</Users>
</Principals>
</ApplicationManifest>
and this is my current nginx.conf file:
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8081;
}
}
Update 2016-10-09
As requested in the discussion, I've created a test project here. Every contribute to the project is welcome.

f you deploy the nginx and gateway service to all nodes (InstanceCount = -1) you should be good. If the gateway service is down on one node, you would of course not be able to forward the request from nginx to a gateway service on another node. For this, you need the nginx service to look-up the gateway service.
You can get the service endpoint address for the gateway using a REST call: https://msdn.microsoft.com/en-us/library/azure/dn707638.aspx

Cut Servlet url in JBoss

I've got an app which is running on JBoss 7. Its URL is http://localhost:8080/archive/app. How can I make it look http://localhost:8080/app or http://localhost/app?
PS. /archive means archive.war

1) Remove the welcome root. In the standalone.xml set:
<virtual-server name="default-host" enable-welcome-root="false">
2) Set the context root. In your archive.war add a jboss-web.xml file in the WEB-INF folder:
<?xml version="1.0"?>
<jboss-web>
<context-root>/</context-root>
</jboss-web>
3) Set the http port to 80. In the standalone.xml change:
<socket-binding name="http" port="8080"/> to <socket-binding name="http" port="80"/>
Remember that if your server runs on a Linux machine it must be launched by root in order to use ports under 1024. In that case you can redirect from 80 to 8080 by means of iptables without the need to change the standalone.xml socket-binding

RhodeCode proxied by IIS 7

I installed RhodeCode 1.2.2 at a Windows 2008R2 (64Bit) box.
I had setup a IIS 7 as a Proxy Server (Application Request Routing + URL Rewrite) for RhodeCode running at 127.0.0.1:5000.
The Repository is reachable via "https://subdomain.domain.de".
At the repository summary, the Clone url points to:
https://[username]#127.0.0.1:5000/SomeProject
At the client side, I can clone the repository when replacing the
"127.0.0.1:5000" with "subdomain.domain.de".
For sure I would like that RhodeCode displays the Proxy url
("subdomain.domain.de") instead of the 127.XXX...
I search the web up and down and the only thing I found, was that
Apache has a "ProxyPreserveHost On" setting, which does the trick. However
I didn't found anything like that for IIS.
Is there somewhere a setting within the "production.ini" where I can
define the proxy url?
Or does someone found the well hidden setting within the IIS?
Any help is much appreciated :-)
thanks for your answer! I already use the ARR and setup the reverse proxy, I can access RhodeCode via the proxy. However, it looks like that the HTTP_HOST value is not forwarded to paster.
Within the IIS, I setup the following server variables and set them within the reverse proxy rule:
<set name="HTTP_HOST" value="[subdomain.domain.de]" />
<set name="HTTP_X_FORWARDED_SERVER" value="[subdomain.domain.de]" />
<set name="HTTP_X_ORIGINAL_HOST" value="[subdomain.domain.de]" />
<set name="HTTP_X_HTTP_HOST" value="[subdomain.domain.de]" />
<set name="HTTP_X_URL_SCHEME" value="https" />
but that have no affect at all.
At the linked previously answer, he suggested to copy these variable values back to the HTTP_HOST (within tomcat, should be paster in my case). That looks a bit overkilled to me, in comparsion to a simple "ProxyPreserveHost On" within apache. I have the feeling that I missed something here.
Cheers,
Sörnt

Itvan is correct, that will work.
Uncommenting the clone_uri will leave the default clone_uri. You can force the clone_uri to use your domain by having that line:
clone_uri = {scheme}://{user}{pass}[subdomain.domain.de]{path}
PS: Works on version 1.3.6

I'm working on out reverse proxying over https for rhodecode with apache on centos6 right now.
For Apache, the configuration noted by marcin of rhodecode fame is:
<VirtualHost *:80>
ServerName hg.myserver.com
ServerAlias hg.myserver.com
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
#important !
#Directive to properly generate url (clone url) for pylons
ProxyPreserveHost On
#rhodecode instance
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
#to enable https use line below
#SetEnvIf X-Url-Scheme https HTTPS=1
</VirtualHost>
For the IIS equivilent of ProxyPreserveHost, see Application Request Routing, which was provided in a previously answer by a MSFT MVP.
The http server is actually python paste's httpserver, so referring to the python paste documentation for httpserver (egg#Paste:http is familiar right), there is no proxy configuration. You will have to reverse proxy in IIS (source)
I am unsure why marcin has opted to advise setting up the reverse proxy versus utilizing paste's httpserver support for https; but having IIS field the requests, and binding paste's httpserver to 127.0.0.1 is likely best choice.

I've just installed RhodeCode 1.3.3 and got into this issue. You can edit this line in configuration file to make it work:
## overwrite schema of clone url
## available vars:
## scheme - http/https
## user - current user
## pass - password
## netloc - network location
## path - usually repo_name
#clone_uri = {scheme}://{user}{pass}{netloc}{path}
clone_uri = {scheme}://{user}{pass}yourdomain.com{path}