I use Manjaro for dotnet development and recently have been having serious problems with SSL.
When I run my web apps I get a warning saying The ASP.NET Core developer certificate is not trusted. For information about trusting the ASP.NET Core developer certificate, see https://aka.ms/aspnet/https-trust-dev-cert.
I’ve been through the link with a fine tooth comb - It’s not very helpful to us Linux users and even less helpful to Manjaro / Arch.
This has led me round the houses somewhat trying to wrap my head around exactly what I need to do to actually trust this certificate - what do I run? where is it actually stored?
I’ve found a lot of information and most of it seems to be quite dated. I’ve got myself in a bit of a mess now - It’s still not working and I’ve tried many things.
I extrapolated the commands below from an article on Github, but I’m not sure the storage locations are quite right.
# Start at home
cd ~
# Create cert
dotnet dev-certs https
# Export cert to current directory
dotnet dev-certs https -ep localhost.crt --format PEM
# Create the paths if necessary
cd /usr/share/ca-certificates
sudo mkdir trust-source
sudo chmod 755 trust-source
cd trust-source
sudo mkdir anchors
sudo chmod 755 anchors
cd ~
# Trust Chromium based browsers
sudo -E dotnet dev-certs https -ep /usr/share/ca-certificates/aspnet/https.crt --format PEM
sudo certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i ./localhost.crt
sudo certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i ./localhost.crt
# Trust wget
sudo cp localhost.crt /usr/share/ca-certificates/trust-source/anchors/aspnetcore-https-localhost.pem
sudo update-ca-trust extract
# Trust dotnet-to-dotnet
sudo cp localhost.crt /etc/ssl/certs/aspnetcore-https-localhost.pem
# Remove cert from current directory
rm localhost.crt
I’m almost at the point of giving up and going back to WIndows for work, which I really don’t want to have to do as I find Linux far better for front-end development and I find Manjaro far better than Ubuntu generally, which would be my alternative switch over time.
It used to work fine for me until about 6 weeks or so ago then I started getting warnings. I disabled SSL requirement in the test browser and ignored it for now but now I have 2 APIs that need to talk to one another, so I’m at an impasse and windows is looking friendly right now (shudder).
I’m trying disabling SSL locally as well but dotnet just seems to ignore me on that one.
I haven’t been doing any backend api with dotnet core - so I am in uncharted territory with that.
The project I am working with uses a windows server running .NET and MSSQL so all my backend is done in a Windows VM.
When the client is finished the plan is to migrate the api to mysql and dotnet 8.
You should be able to adjust launchettings.json but you may get issues if you do not define CORS accept all and even then may cause issues as chrome based browsers usually refuse to talk to a non ssl api.
I seem to have moved on a bit with this - I’ve run the following commands and the APIs will now talk to one another but I’m still getting warnings in Rider about certificates not being trusted and my browsers (Vivaldi, Edge and Chrome) still say they are invalid (sigh)…
cd $HOME || exit
# Create cert (If not already created)
# I think this is the one that lives in /usr/share/ca-certificates/aspnet
dotnet dev-certs https
# Export cert to /usr/share/ca-certificates/aspnet
sudo -E dotnet dev-certs https -ep localhost.crt --format PEM
# Setup Firefox
echo "{
\"policies\": {
\"Certificates\": {
\"Install\": [
\"aspnetcore-localhost-https.crt\"
]
}
}
}" > policies.json
# Trust Firefox
sudo mv policies.json /usr/lib/firefox/distribution/
mkdir -p ~/.mozilla/certificates
cp localhost.crt ~/.mozilla/certificates/aspnetcore-localhost-https.crt
# Trust Chromium based browsers
sudo certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i ./localhost.crt
sudo certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i ./localhost.crt
# Trust wget
sudo cp localhost.crt /usr/share/ca-certificates/aspnet/https.crt
sudo cp localhost.crt /usr/share/ca-certificates/trust-source/anchors/aspnetcore-https-localhost.pem
sudo cp localhost.crt /usr/share/ca-certificates/aspnet/aspnetcore-https-localhost.pem
sudo chmod 666 /usr/share/ca-certificates/trust-source/anchors/aspnetcore-https-localhost.pem
sudo chmod 666 /usr/share/ca-certificates/aspnet/aspnetcore-https-localhost.pem
# Trust dotnet-to-dotnet
sudo cp localhost.crt /etc/ssl/certs/aspnetcore-https-localhost.pem
# Clean up
sudo update-ca-trust
sudo update-ca-trust extract
rm localhost.crt
Firefox is happy with the changes above.
Some of this is probably redundant and the “Trust Chromium Browsers” section clearly doesn’t seem to work.
Here you configure personal certificates so you shouldn’t use sudo. For global installation you need only one command (assuming that localhost.crt is CA):