Skip to content

[Platform] Provide a better error message when the developer certificate can't be used #16659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 31, 2019
Merged

[Platform] Provide a better error message when the developer certificate can't be used #16659

merged 8 commits into from
Oct 31, 2019

Conversation

javiercn
Copy link
Member

Partially addresses #15118

Long story short, Mac OS will introduce notarization for apps, which changes the identity of dotnet.exe with regards to the OS.

That makes the keys for certs in the cert store (backed by keychain) not accessible to the app if the certificate was created with a dotnet.exe that was not notarized.

Users upgrading to 3.1 in the future will encounter this on Mac OS and they won't get any feedback about what's going on other than a failed connection screen in the browser).

To help users in this scenario we are introducing an additional error message with instructions on what to do when we detect the developer certificate is being used for HTTPS, so that at least there is a proper error message.

We are still investigating all the ramifications of this issue, hence the "partially addresses it"

@mkArtakMSFT mkArtakMSFT added the feature-platform Deprecated: Cross-cutting issues related to ASP.NET Core as a platform label Oct 30, 2019
@mkArtakMSFT mkArtakMSFT added this to the 3.1.0-preview3 milestone Oct 30, 2019
javiercn
javiercn commented Oct 30, 2019
View reviewed changes
@javiercn javiercn force-pushed the javiercn/kestrel-https-invalid-cert-improvement branch 2 times, most recently from cbf6f7c to 8e9cc2d Compare October 30, 2019 17:04
@javiercn javiercn force-pushed the javiercn/kestrel-https-invalid-cert-improvement branch from 8e9cc2d to 43d59cf Compare October 30, 2019 17:28
@javiercn
Copy link
Member Author

@Pilchie FYI

Tratcher
Tratcher reviewed Oct 30, 2019
View reviewed changes
javiercn
javiercn commented Oct 30, 2019
View reviewed changes
@javiercn
Copy link
Member Author

🆙 📅

analogrelay
analogrelay reviewed Oct 30, 2019
View reviewed changes
@javiercn
Copy link
Member Author

@Pilchie this is just waiting for your approval.

Pilchie
Pilchie approved these changes Oct 31, 2019
View reviewed changes
Copy link
Member

@Pilchie Pilchie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't have to be part of this change, but it seems like we should make the constructor of CertificateManager private or protected if it's meant to be a singleton.

src/Tools/dotnet-dev-certs/src/Program.cs
@@ -150,7 +150,7 @@ private static int CheckHttpsCertificate(CommandOption trust, IReporter reporter
{
var now = DateTimeOffset.Now;
var certificateManager = new CertificateManager();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be removed.

@Pilchie
Copy link
Member

Pilchie commented Oct 31, 2019

Approved for 3.1.0-Preview3. Thanks @javiercn

@javiercn javiercn merged commit 3ceca46 into release/3.1 Oct 31, 2019
@javiercn javiercn deleted the javiercn/kestrel-https-invalid-cert-improvement branch October 31, 2019 20:50
@halter73 halter73 mentioned this pull request Oct 31, 2019
Merged
javiercn added a commit that referenced this pull request Dec 4, 2019
@javiercn
[Platform] Provide a better error message when the developer certific…
e5ee028 
…ate can't be used (#16659)

Improves the error message Kestrel gives when the developer certificate key is not available for some reason.
mkArtakMSFT pushed a commit that referenced this pull request Jan 16, 2020
@javiercn @mkArtakMSFT
[Platform] Detect and fix certificates with potentially inaccessible …
bba3430 
…keys on Mac OS (3.0) (#17580)

* [Platform] Provide a better error message when the developer certificate can't be used (#16659)

Improves the error message Kestrel gives when the developer certificate key is not available for some reason.

* [Platform] Add logic to dotnet-dev-certs to detect and fix certificates with inaccessible keys on Mac OS

* Update the docs link
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@analogrelay analogrelay analogrelay left review comments

@GrabYourPitchforks GrabYourPitchforks GrabYourPitchforks left review comments

@Pilchie Pilchie Pilchie approved these changes

@Tratcher Tratcher Tratcher approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@jkotalik jkotalik Awaiting requested review from jkotalik

@SteveSandersonMS SteveSandersonMS Awaiting requested review from SteveSandersonMS

Assignees
No one assigned
Labels
feature-platform Deprecated: Cross-cutting issues related to ASP.NET Core as a platform
Projects
None yet
Milestone
3.1.0-preview3
Development

Successfully merging this pull request may close these issues.
6 participants
@javiercn @Pilchie @analogrelay @GrabYourPitchforks @Tratcher @mkArtakMSFT