Unable to trust development certificate

[LouisT123]

Working with @sayedihashimi as an intern at Microsoft, and I'm running into this blocking issue. He was unable to figure out what was going on.

Steps to reproduce

1. Create project using dotnet new web
2. dotnet build
3. dotnet run

Expected behavior

Web app runs

Actual behavior

Getting error about development certificate

Anands-MBP:dasdasdakjfh louistaing$ dotnet run
: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]
      User profile is available. Using '/Users/louistaing/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
crit: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to start Kestrel.
System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)

Unhandled Exception: System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
   at dasdasdakjfh.Program.Main(String[] args) in /Users/louistaing/Projects/dasdasdakjfh/dasdasdakjfh/Program.cs:line 17
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --clean
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --trust
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --clean --verbose
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
HTTPS development certificates successfully removed from the machine.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --check --verbose
No valid certificate found.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --trust --verbose
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --check --verbose
No valid certificate found.
Anands-MBP:dasdasdakjfh louistaing$ 

Environment data

dotnet --info output:

Anands-MBP:dasdasdakjfh louistaing$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.2.401
 Commit:    729b316c13

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.13
 OS Platform: Darwin
 RID:         osx.10.13-x64
 Base Path:   /usr/local/share/dotnet/sdk/2.2.401/

Host (useful for support):
  Version: 2.2.6
  Commit:  7dac9b1b51

.NET Core SDKs installed:
  2.1.700 [/usr/local/share/dotnet/sdk]
  2.2.300 [/usr/local/share/dotnet/sdk]
  2.2.401 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.11 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.11 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.11 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.6 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
Anands-MBP:dasdasdakjfh louistaing$ 

[livarcocc]

@anurse is this something that you can take a look at?

[livarcocc]

It seems from the list of commands that you removed the certificate but haven't added it back.

Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --clean --verbose
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
HTTPS development certificates successfully removed from the machine.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --check --verbose
No valid certificate found.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --trust --verbose
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
Anands-MBP:dasdasdakjfh louistaing$ sudo dotnet dev-certs https --check --verbose
No valid certificate found.
Anands-MBP:dasdasdakjfh louistaing$ 

[sayedihashimi]

He tried adding it, several times actually.

@LouisT123 please execute the following and paste results here: clean, check, trust and check again.

[sayedihashimi]

@livarcocc you can see in the output he did try trust.

Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <>'

[LouisT123]

@sayedihashimi Executed:

Last login: Mon Aug 12 10:39:15 on ttys000
Anands-MBP:~ louistaing$ cd /Users/louistaing/Projects/dasdasdakjfh/dasdasdakjfh/Program.cs
-bash: cd: /Users/louistaing/Projects/dasdasdakjfh/dasdasdakjfh/Program.cs: Not a directory
Anands-MBP:~ louistaing$ cd /Users/louistaing/Projects/dasdasdakjfh/dasdasdakjfh/
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --clean
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --check
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
Anands-MBP:dasdasdakjfh louistaing$ dotnet dev-certs https --check
Anands-MBP:dasdasdakjfh louistaing$ 

[analogrelay]

• @javiercn

[javiercn]

There can be something in the environment that is causing the tool to not work correctly. I'll double check tomorrow on my Mac to see if I repro the behavior on a clean machine and I'll see what info we can gather to figure out what's going on.

[BrennanConroy]

We found a bug with the dev-certs tool that caused issues with --clean and --check. We'll be fixing it in preview9.

It's hard to see if your scenario is hitting this issue but it's a good guess that it is

[sayedihashimi]

@BrennanConroy thanks for the follow up. Perhaps when you have a build with the fix then @LouisT123 can try it out to confirm that it's working for him. When do you think you may have a new build with the fix?

[analogrelay]

I'm going to move this to aspnet/AspNetCore since we found actionable work (probably could've merged it earlier anyway :)). An issue link will be posted next, please move discussion to that thread.

Thanks for the report @LouisT123 !

[analogrelay]

This issue was moved to dotnet/aspnetcore#13175

[rv-17]

Encountered the same issue on macOS. As a solution, in the keychain, remove the old localhost certificate under 'System' and recreate it via the dotnet commands described in the docs. It will be placed under 'login'.

[granadacoder]

Encountered the same issue on macOS. As a solution, in the keychain, remove the old localhost certificate under 'System' and recreate it via the dotnet commands described in the docs. It will be placed under 'login'.

Thank you ncbb. I've formalized this in a SOF answer as well : https://stackoverflow.com/questions/64017267/dotnet-dev-certs-certificate-not-trusted/66888581#66888581