HTTPS Error using IIS Express

[saha1506]

Same issue: #16892

@blowdart

I run a vanilla asp.net core web app by checking the checkbox for configuring HTTPS. The application doesn't run correctly.

I opened VS, then I chose ASP.NET Core Web Application. The HTTPS configuration was enabled by default. After creating the app, I run it with F5 using IIS Express and the web app is not loading.

I found that in 2019 a developer pointed out this problem, but it still hasn't solved.

Problem

I think IIS Express isn't serving up HTTPS
When HTTPS is enabled, the project is not working in all browsers. When it is disabled, everything works fine.

ERROR in Chrome v80+ "ERR_CONNECTION_RESET"
FireFox ERROR: PR_CONNECT_RESET_ERROR

I have tried reinstalled Visual Studio, rewriting local host certificates, restoring and reinstalling IIS Express 10. Same issue over and over again

When starting HTTPS, the browser gives the error mentioned above.
HTTPS port is specified: https: // localhost: 44341

Yes, after rewriting SSL certificate, VS ask for confirm new certificate. But after that browser show the same issue. Antivirus is turned off...

Further technical details

- ASP.NET Core version
 Version:   3.1.402
 Commit:    9b5de826fd

Среда выполнения:
 OS Name:     Windows
 OS Version:  10.0.18362
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.402\

Host (useful for support):
  Version: 3.1.8
  Commit:  9c1330dedd

.NET Core SDKs installed:
  2.1.700 [C:\Program Files\dotnet\sdk]
  3.1.202 [C:\Program Files\dotnet\sdk]
  3.1.302 [C:\Program Files\dotnet\sdk]
  3.1.402 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Visual Studio 2019 version 16.0

[javiercn]

@saha1506 thanks for contacting us.

Can you follow the same steps indicated in #16892 to gather the info that would help us troubleshoot this issue? (Check the certificate, check the binding, export the certificate so that we can see if its valid and so on).

@shirhatti @blowdart this is IIS Express related.

[saha1506]

@javiercn
Thanks for the answer, that's what I've got:

1. Project properties:

2. Certconfig.txt

When I open netsh http show sslcert > certconfig.txt I have this:

certconfig.txt

3. certificate export

localhost certificate export (I will change certificate after issue will be close)
password: blazor
localhost.zip

[javiercn]

@saha1506 thanks for the additional details

@shirhatti @blowdart can you take it from here? (likely @shirhatti)

[saha1506]

HTTPS enabled:

HTTPS disabled:

[javiercn]

I listed the cert info with openssl

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:db:bd:a7:63:72:61:bf:4e:e2:60:7c:ec:f3:22:9d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = localhost
        Validity
            Not Before: Sep 29 18:43:53 2020 GMT
            Not After : Sep 29 00:00:00 2025 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b5:57:bc:f1:0f:70:d7:b9:b0:ed:dd:22:ed:e1:
                    37:c8:a9:de:3c:f0:9f:1f:8e:b4:dd:75:f7:99:46:
                    a2:0d:0c:3b:f5:db:b6:6e:99:d7:f4:17:07:7c:e5:
                    56:ef:cb:ae:b3:25:4e:73:aa:51:77:96:5c:7c:68:
                    80:35:3c:48:87:72:84:80:74:22:71:a2:df:95:16:
                    ce:a3:10:32:f2:a8:3b:78:4c:70:a1:80:1f:cb:63:
                    c0:b0:18:9f:b4:56:97:c9:27:59:f4:b6:16:6b:f4:
                    fa:bf:18:d0:00:ea:f6:c0:de:a9:59:5d:c2:3d:27:
                    44:0c:35:52:8a:4a:2f:4f:b4:4c:39:55:44:59:c8:
                    52:a4:4f:36:82:3e:8f:90:28:bb:1c:69:90:c0:d1:
                    d5:84:ae:c4:de:16:09:cf:a0:02:8c:d0:7c:e8:a0:
                    ae:d8:d4:6a:68:50:70:e6:c5:df:6d:d8:77:87:e1:
                    52:eb:b8:0a:1d:7b:f8:0e:31:7b:e3:a4:e2:d7:53:
                    07:91:d3:13:8c:9c:07:cc:03:55:29:86:be:5f:3f:
                    38:ed:d2:f3:92:68:02:57:28:da:7f:c2:b0:35:55:
                    41:c6:2b:08:df:de:1b:53:eb:2f:ab:95:3f:a0:d2:
                    89:0e:8f:63:a3:b7:d5:60:0d:c0:9c:e5:a6:f6:c4:
                    8c:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:localhost

Nothing strikes me as wrong here, so I'll leave this for you folks if it helps.

[saha1506]

Thanks!

About Certificate

Message from #16892

I use guide to remove all localhost certificates (if there are duplicates), and create new one. But after Security warning "Do you want to install certificate" I had no result. Like in #16892

Guide to remove all local host certificates from MMC:
https://www.pluralsight.com/guides/visual-studio-2017-resolving-ssl-tls-connections-problems-with-iis-express

[shirhatti]

@saha1506 It's unclear from your previous comment if your issue has been resolved?

[saha1506]

@shirhatti

@saha1506 It's unclear from your previous comment if your issue has been resolved?

No, it's not. Still ERR_CONNECTION_RESET

[ghost]

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[saha1506]

I will try reinstalling Windows. Previously, ASP projects worked fine for me, but after updating Visual Studio something happened, so I think

[lousybyte]

Can confirm this as well, on top of that running dotnet dev-certs https --trust gives a strange error that I think it was meant for macOS and not for Windows.

$ dotnet dev-certs https --clean

Cleaning HTTPS development certificates from the machine. A prompt might get displayed to confirm the removal of some of the certificates.


$ dotnet dev-certs https --trust

A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
The HTTPS developer certificate was generated successfully.```

[javiercn]

dotnet dev-certs is unrelated to any issue when running inside IIS

[shirhatti]

@saha1506 Assuming you're using IIS Express and seeing this error you can try re-generating your IIS Express development certificate

Start-Transcript -Path "$($MyInvocation.MyCommand.Path).log"
try {
    Write-Host "Creating cert resources"
    $ekuOidCollection = [System.Security.Cryptography.OidCollection]::new();
    $ekuOidCollection.Add([System.Security.Cryptography.Oid]::new("1.3.6.1.5.5.7.3.1","Server Authentication")) | Out-Null
    $sanBuilder = [System.Security.Cryptography.X509Certificates.SubjectAlternativeNameBuilder]::new();
    $sanBuilder.AddDnsName("localhost") | Out-Null
    
    Write-Host "Creating cert extensions"
    $certificateExtensions = @(
        # Subject Alternative Name
        $sanBuilder.Build($true),        
        # ASP.NET Core OID
        [System.Security.Cryptography.X509Certificates.X509Extension]::new(
            "1.3.6.1.4.1.311.84.1.1",
            [System.Text.Encoding]::ASCII.GetBytes("IIS Express Development Certificate"),
            $false),
            # KeyUsage
            [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
                [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyEncipherment,
                $true),
                # Enhanced key usage
        [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new(
            $ekuOidCollection,
            $true),
            # Basic constraints
            [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($false,$false,0,$true)
        )
    Write-Host "Creating cert parameters"
    $parameters = @{
        Subject = "localhost";
        KeyAlgorithm = "RSA";
        KeyLength = 2048;
        CertStoreLocation = "Cert:\LocalMachine\My";
        KeyExportPolicy = "Exportable";
        NotBefore = Get-Date;
        NotAfter = (Get-Date).AddYears(1);
        HashAlgorithm = "SHA256";
        Extension = $certificateExtensions;
        SuppressOid = @("2.5.29.14");
        FriendlyName = "IIS Express Development Certificate"
    }
    Write-Host "Creating cert"
    $cert = New-SelfSignedCertificate @parameters

    $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine
    $rootStore.Open("MaxAllowed")
    $rootStore.Add($cert)
    $rootStore.Close()
    
    Write-Host "Creating port bindings"
    # Add an Http.Sys binding for port 44300-44399
    $command = 'netsh'
    for ($i=44300; $i -le 44399; $i++) {
        $optionsDelete = @('http', 'delete', 'sslcert', "ipport=0.0.0.0:$i")
        $optionsAdd = @('http', 'add', 'sslcert', "ipport=0.0.0.0:$i", "certhash=$($cert.Thumbprint)", 'appid={214124cd-d05b-4309-9af9-9caa44b2b74a}')
        Write-Host "Running $command $optionsDelete"
        & $command $optionsDelete
        Write-Host "Running $command $optionsAdd"
        & $command $optionsAdd
    } 
}
catch {
    Write-Error $_.Exception.Message
}
finally {
    Stop-Transcript
}

[xperiandri]

@shirhatti thanks! Your solution works!

[asm2025]

@shirhatti Thank you very much.