Skip to content

Fix dashboard resource service scheme and generate HTTPS dev cert for non-.NET AppHosts#17454

Merged
JamesNK merged 6 commits into
mainfrom
fix/dashboard-resource-service-scheme
May 25, 2026
Merged

Fix dashboard resource service scheme and generate HTTPS dev cert for non-.NET AppHosts#17454
JamesNK merged 6 commits into
mainfrom
fix/dashboard-resource-service-scheme

Conversation

@JamesNK

@JamesNK JamesNK commented May 24, 2026

Copy link
Copy Markdown
Member

Summary

Fixes a CI test failure where the TypeScript starter template fails because the dashboard resource service defaults to HTTPS but no dev certificate exists when the AppHost isn't a .NET project (so dotnet run never triggers first-run cert generation).

Changes

DashboardServiceHost scheme resolution (src/Aspire.Hosting/Dashboard/DashboardServiceHost.cs)

  • Extracted ResolveScheme(Uri? configuredUri, bool allowUnsecuredTransport) as an internal static method for testability
  • When no dashboard URL is configured, the scheme now correctly defaults to HTTPS unless AllowUnsecuredTransport is set

Non-interactive HTTPS certificate generation (src/Aspire.Cli/Certificates/)

  • In non-interactive mode, CertificateService now automatically generates an HTTPS dev certificate when none exists
  • Added EnsureHttpCertificateExists() to ICertificateToolRunner / NativeCertificateToolRunner that calls CertificateManager.EnsureAspNetCoreHttpsDevelopmentCertificate
  • After generation, refreshes the certificate check state
  • Displays a warning if generation fails

Opt-out via environment variable

  • Added ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE to KnownConfigNames
  • Setting this to "false" skips automatic certificate generation

Tests

  • DashboardServiceHostTests.ResolveScheme_ReturnsExpectedScheme — theory covering all scheme resolution cases
  • CertificateServiceTests — new tests for cert generation when none exist, skipping when certs exist, env var opt-out, and warning on failure

Fixes

Fixes the TypeScript starter CI test failure caused by missing HTTPS dev cert when the dashboard resource service defaults to HTTPS.

@github-actions

github-actions Bot commented May 24, 2026

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17454

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17454"

JamesNK added 4 commits May 25, 2026 09:10
The .NET SDK first-run experience generates the HTTPS dev certificate
when any dotnet command runs. Non-.NET AppHost languages (TypeScript,
Python, etc.) launch a prebuilt native binary and never invoke dotnet,
so the first-run cert generation never triggers.

Add EnsureHttpCertificateExists() to ICertificateToolRunner which calls
EnsureAspNetCoreHttpsDevelopmentCertificate(trust: false) to generate
the cert without requiring user interaction. Call it from
CertificateService when running non-interactively and no cert exists.
…text

- Add CliGenerateHttpsCertificate to KnownConfigNames (grouped with CLI consts)
- Inject CliExecutionContext into CertificateService for testability
- Add ShouldGenerateHttpsCertificate() with ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE=false opt-out
- Update test helpers to pass CliExecutionContext
- Test cert is generated when no certs exist (non-interactive)
- Test cert generation is skipped when certs already exist
- Test ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE=false opt-out suppresses generation
- Refresh preCheck after successful generation so trust-level checks reflect actual state
- Log warning via DisplayMessage when certificate generation fails
- Pass isInteractive: false to EnsureAspNetCoreHttpsDevelopmentCertificate (matches SDK first-run behavior of accepting older cert versions)
- Add CreateNoCertsResult() test helper for readability
- Update GeneratesCert test to simulate realistic two-call check pattern
@JamesNK JamesNK changed the title Fix resource service scheme selection based on AllowUnsecuredTransport config Fix dashboard resource service scheme and generate HTTPS dev cert for non-.NET AppHosts May 25, 2026
@JamesNK JamesNK marked this pull request as ready for review May 25, 2026 01:59
@JamesNK JamesNK requested a review from mitchdenny as a code owner May 25, 2026 01:59
Copilot AI review requested due to automatic review settings May 25, 2026 01:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a failure scenario for non-.NET AppHosts (e.g., TypeScript starter) where the dashboard resource service defaults to HTTPS but a dev HTTPS certificate may not exist because no dotnet first-run experience runs to generate it.

Changes:

  • Updated dashboard resource service scheme selection so the default is HTTPS unless unsecured transport is explicitly allowed.
  • Added non-interactive HTTPS dev-certificate creation in the CLI when no certificate exists (with an environment-variable opt-out).
  • Added/updated tests to cover scheme resolution and certificate generation/opt-out/warning behavior.

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/Aspire.Hosting.Tests/Dashboard/DashboardServiceHostTests.cs Adds coverage for DashboardServiceHost.ResolveScheme behavior.
tests/Aspire.Cli.Tests/Utils/CliTestHelper.cs Updates test DI wiring for the new CertificateService constructor parameter.
tests/Aspire.Cli.Tests/TestServices/TestCertificateToolRunner.cs Extends the certificate tool runner test double with EnsureHttpCertificateExists().
tests/Aspire.Cli.Tests/Commands/CertificatesCommandTests.cs Updates command tests to construct CertificateService with CliExecutionContext.
tests/Aspire.Cli.Tests/Certificates/CertificateServiceTests.cs Adds tests for non-interactive cert generation, opt-out, and warning-on-failure.
src/Shared/KnownConfigNames.cs Introduces ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE config name.
src/Aspire.Hosting/Dashboard/DashboardServiceHost.cs Extracts and fixes scheme resolution logic for the resource service endpoint.
src/Aspire.Cli/Resources/xlf/ErrorStrings.zh-Hant.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.zh-Hans.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.tr.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.ru.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.pt-BR.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.pl.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.ko.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.ja.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.it.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.fr.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.es.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.de.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/xlf/ErrorStrings.cs.xlf Adds localized entry for CertificateGenerationFailed.
src/Aspire.Cli/Resources/ErrorStrings.resx Adds CertificateGenerationFailed resource string.
src/Aspire.Cli/Resources/ErrorStrings.Designer.cs Updates generated accessor for CertificateGenerationFailed.
src/Aspire.Cli/Certificates/NativeCertificateToolRunner.cs Implements EnsureHttpCertificateExists() using CertificateManager (trust:false).
src/Aspire.Cli/Certificates/ICertificateToolRunner.cs Adds EnsureHttpCertificateExists() contract.
src/Aspire.Cli/Certificates/CertificateService.cs Adds non-interactive certificate generation + env var opt-out logic.
Files not reviewed (1)
  • src/Aspire.Cli/Resources/ErrorStrings.Designer.cs: Language not supported

Comment thread tests/Aspire.Cli.Tests/TestServices/TestCertificateToolRunner.cs
…ion failure

- Extract ResolveScheme() static method from DashboardServiceHost for testability
- Add DashboardServiceHostTests covering: default HTTPS, HTTP with unsecured transport,
  explicit URI scheme usage, and scheme independence from allowUnsecuredTransport
- Add CertificateServiceTests covering: warning displayed on cert generation failure
@JamesNK JamesNK force-pushed the fix/dashboard-resource-service-scheme branch from 788ff45 to 328c6e1 Compare May 25, 2026 02:21
@github-actions

Copy link
Copy Markdown
Contributor

CLI E2E Tests unknown — 96 passed, 0 failed, 5 unknown (commit 328c6e1)

View all recordings
Status Test Recording
AddPackageInteractiveWhileAppHostRunningDetached ▶️ View recording
AddPackageWhileAppHostRunningDetached ▶️ View recording
AgentCommands_AllHelpOutputs_AreCorrect ▶️ View recording
AgentInitCommand_DefaultSelection_InstallsDefaultSkills ▶️ View recording
AgentInitCommand_MigratesDeprecatedConfig ▶️ View recording
AgentMcpListStructuredLogsFromStarterAppCore ▶️ View recording
AllPublishMethodsBuildDockerImages ▶️ View recording
AspireAddPackageVersionToDirectoryPackagesProps ▶️ View recording
AspireInitSingleFileAppHostRunsViaDotnetRunAppHost ▶️ View recording
AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles ▶️ View recording
AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive ▶️ View recording
AspireStartUpdatesStaleTypeScriptAppHostPath ▶️ View recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps ▶️ View recording
AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent ▶️ View recording
Banner_DisplayedOnFirstRun ▶️ View recording
Banner_DisplayedWithExplicitFlag ▶️ View recording
Banner_NotDisplayedWithNoLogoFlag ▶️ View recording
CertificatesClean_RemovesCertificates ▶️ View recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate ▶️ View recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate ▶️ View recording
ConfigSetGet_CreatesNestedJsonFormat ▶️ View recording
CreateAndRunAspireStarterProject ▶️ View recording
CreateAndRunAspireStarterProjectWithBundle ▶️ View recording
CreateAndRunEmptyAppHostProject ▶️ View recording
CreateAndRunJavaEmptyAppHostProject ▶️ View recording
CreateAndRunJsReactProject ▶️ View recording
CreateAndRunPythonReactProject ▶️ View recording
CreateAndRunTypeScriptEmptyAppHostProject ▶️ View recording
CreateAndRunTypeScriptStarterProject ▶️ View recording
CreateJavaAppHostWithViteApp ▶️ View recording
CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain ▶️ View recording
DashboardRunWithAgentMcpCore ▶️ View recording
DashboardRunWithOtelTracesReturnsNoTracesCore ▶️ View recording
DeployK8sBasicApiService ▶️ View recording
DeployK8sWithExternalHelmChart ▶️ View recording
DeployK8sWithGarnet ▶️ View recording
DeployK8sWithMongoDB ▶️ View recording
DeployK8sWithMySql ▶️ View recording
DeployK8sWithPostgres ▶️ View recording
DeployK8sWithRabbitMQ ▶️ View recording
DeployK8sWithRedis ▶️ View recording
DeployK8sWithSqlServer ▶️ View recording
DeployK8sWithValkey ▶️ View recording
DeployTypeScriptAppToKubernetes ▶️ View recording
DescribeCommandResolvesReplicaNames ▶️ View recording
DescribeCommandShowsRunningResources ▶️ View recording
DetachFormatJsonProducesValidJson ▶️ View recording
DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance ▶️ View recording
DoListStepsShowsPipelineSteps ▶️ View recording
DocsCommand_RendersInteractiveMarkdownFromLocalSource ▶️ View recording
DoctorCommand_DetectsDeprecatedAgentConfig ▶️ View recording
DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain ▶️ View recording
DoctorCommand_WithSslCertDir_ShowsTrusted ▶️ View recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted ▶️ View recording
GeneratedAspireDevScript_StartsWatchMode_WithConfiguredToolchain ▶️ View recording
GlobalMigration_HandlesCommentsAndTrailingCommas ▶️ View recording
GlobalMigration_HandlesMalformedLegacyJson ▶️ View recording
GlobalMigration_PreservesAllValueTypes ▶️ View recording
GlobalMigration_SkipsWhenNewConfigExists ▶️ View recording
GlobalSettings_MigratedFromLegacyFormat ▶️ View recording
InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot ▶️ View recording
InteractiveCSharpInitCreatesExpectedFiles ▶️ View recording
InvalidAppHostPathWithComments_IsHealedOnRun ▶️ View recording
JavaScriptHostingApisRunFromTypeScriptAppHost ▶️ View recording
LatestCliCanStartStableChannelAppHost ▶️ View recording
LatestCliCanStartStableChannelTypeScriptAppHost ▶️ View recording
LegacySettingsMigration_AdjustsRelativeAppHostPath ▶️ View recording
LogLevelTrace_ProducesTraceEntriesInCliLogFile ▶️ View recording
LogsCommandShowsResourceLogs ▶️ View recording
OtelLogsReturnsStructuredLogsFromStarterApp ▶️ View recording
OtelLogsReturnsStructuredLogsFromStarterAppIsolated ▶️ View recording
PsCommandListsRunningAppHost ▶️ View recording
PsFormatJsonOutputsOnlyJsonToStdout ▶️ View recording
PublishJavaScriptPatternsGeneratesExpectedDockerComposeArtifacts ▶️ View recording
PublishWithConfigureEnvFileUpdatesEnvOutput ▶️ View recording
PublishWithDockerComposeServiceCallbackSucceeds ▶️ View recording
PublishWithoutOutputPathUsesAppHostDirectoryDefault ▶️ View recording
ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries ▶️ View recording
ResourceCommand_FailsWhenInteractionServiceIsRequired ▶️ View recording
ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput ▶️ View recording
RestoreGeneratesSdkFiles ▶️ View recording
RestoreGeneratesSdkFiles_WithConfiguredToolchain ▶️ View recording
RestoreRefreshesGeneratedSdkAfterAddingIntegration ▶️ View recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes ▶️ View recording
RunFromParentDirectory_UsesExistingConfigNearAppHost ▶️ View recording
RunPublishFailureScenarioAsync ▶️ View recording
RunReportsSyntaxErrorsForDotNetAppHost ▶️ View recording
RunReportsSyntaxErrorsForTypeScriptAppHost ▶️ View recording
SecretCrudOnDotNetAppHost ▶️ View recording
SecretCrudOnTypeScriptAppHost ▶️ View recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels ▶️ View recording
StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets ▶️ View recording
StartReportsSyntaxErrorsForDotNetAppHost ▶️ View recording
StartReportsSyntaxErrorsForTypeScriptAppHost ▶️ View recording
StopAllAppHostsFromAppHostDirectory ▶️ View recording
StopJavaPolyglotAppHostUsingApphostDirectory ▶️ View recording
StopNonInteractiveSingleAppHost ▶️ View recording
StopTypeScriptPolyglotAppHostUsingApphostDirectory ▶️ View recording
StopWithNoRunningAppHostExitsSuccessfully ▶️ View recording
UnAwaitedChainsCompileWithAutoResolvePromises ▶️ View recording
UpdateProjectChannelToStable_TypeScript_PicksUpStablePackages ▶️ View recording

📹 Recordings uploaded automatically from CI run #26379892419

{
var preCheck = certificateToolRunner.CheckHttpCertificate();

if (!preCheck.HasCertificates && ShouldGenerateHttpsCertificate())

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danegsta can you review.

@dnegstad dnegstad left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matches the non-interactive certificate generation behavior of the SDK; only question I have is whether we should support the DOTNET_ prefixed environment variable too.

/// </summary>
private bool ShouldGenerateHttpsCertificate()
{
var value = executionContext.GetEnvironmentVariable(KnownConfigNames.CliGenerateHttpsCertificate);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we honor either the DOTNET_ or ASPIRE_ version here (with the ASPIRE_ version taking precedence)? We honor other DOTNET_ prefixed certificate config still since we want to maintain parity with the aspnet CertificateManager behavior.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope.

@danegsta danegsta left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helps if I'm not logged into my personal account when I try to approve... looks good, but we should decide if we're going to support both environment prefix and make sure we match the SDK behavior for when we generate a new certificate.

{
var preCheck = certificateToolRunner.CheckHttpCertificate();

if (!preCheck.HasCertificates && ShouldGenerateHttpsCertificate())

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, does HasCertificates do a minimum version check (does it require not just a cert with the dev certs OID, but also a certificate with a minimum version 4 (to match what the SDK sets)? We should make sure we're matching the behavior of generating a new certificate both when there's no certificate and when there's no valid certificate (including the minimum version check).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it does, so we're matching the SDK behavior.

@JamesNK JamesNK merged commit aaf9d68 into main May 25, 2026
616 of 620 checks passed
@github-actions github-actions Bot added this to the 13.4 milestone May 25, 2026
aspire-repo-bot Bot added a commit to microsoft/aspire.dev that referenced this pull request May 25, 2026
…pHosts

Documents the new behavior introduced in microsoft/aspire#17454:
- When aspire run starts a non-.NET AppHost (e.g., TypeScript) in
  non-interactive mode and no HTTPS dev certificate exists, the CLI
  now automatically generates one.
- The ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE environment variable can
  be set to 'false' to opt out of automatic certificate generation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@aspire-repo-bot

Copy link
Copy Markdown
Contributor

Pull request created: #1063

Generated by PR Documentation Check

@aspire-repo-bot

Copy link
Copy Markdown
Contributor

📝 Documentation has been drafted in microsoft/aspire.dev#1063 targeting release/13.4.

Updated src/frontend/src/content/docs/app-host/certificate-configuration.mdx to document the automatic HTTPS development certificate generation for non-.NET AppHosts (e.g., TypeScript) introduced by this PR, including the ASPIRE_CLI_GENERATE_HTTPS_CERTIFICATE opt-out environment variable with bash and PowerShell examples.

Triggered signal: cli_resource_strings_changedsrc/Aspire.Cli/Resources/ErrorStrings.resx added CertificateGenerationFailed, confirming a new user-visible CLI behavior (automatic cert generation with failure warning).

Note

This draft PR needs human review before merging.

@JamesNK JamesNK deleted the fix/dashboard-resource-service-scheme branch May 29, 2026 22:46
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants