I am totally new to .NET and I came across one problem that is related to an agent application.
Its an IoT agent application which will be deployed and run Windows and Linux systems.
The application is a Web Service based application and uses HTTPS certificate to enable the secure communication between the clients and agent. When I tried to run the application on one of the system, I got error as
System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
After going through most of the posts, I found that we need to download and install the 'dotnet' run time on the system and run below commands
dotnet dev-certs https
dotnet dev-certs https --check
However, for development environment its okay to run these commands. I am looking for a solution where we can run the application without download and installing the dotnet runtime environment.
What are the initial configuration settings those may required to run the application?
It's not the runtime you are missing (you wouldn't be able to execute the application and get the exception). You are missing a valid certificate for your server.
On a development machine you would issue the command
dotnet dev-certs https --trust
to install a trusted self signed certificate. On a production server you have to install a certificate from your certificate server or if it's public accessible from a trusted certificate authority.
Finally, able to run the application on Windows 7 and Windows 10 machine with the PFX certificate.
You need to generate the certificate. You may follow below link to generate the certificate.
https://www.sslsupportdesk.com/export-ssl-certificate-private-key-pfx-using-mmc-windows/
It is required to configure the Kestrel settings in JSON file. Below is the possible JSON configuration to use the certificate
{
"Kestrel": {
"Endpoints": {
"Https": {
"Url": "https://localhost:9448",
"Certificate": {
"Path": "path/to/certificate/file/your-cert.pfx",
"Password": "PwdOfCert",
"AllowInvalid": true
}
}
}
}
}
Related
VS 2019 16.5.0 Preview 5
Windows 10
Chrome Version 80.0.3987.163 (Official Build) (64-bit)
I Googled this and am unable to find an answer.
I am trying to run a simple asp.net core MVC app with TLS on localhost.
What I did is I created a new project then in the project settings I enabled SSL and the URL I got I copied as App URL
App starts properly and TLS CA is not trusted? I followed the example here: https://stackoverflow.com/a/48790088/4950215 and I added the certificated Located in Personal/Certificates folder to Trusted Root Certification Authorities - Certificates manage computer certificates now showed that the CA is trusted.
I reloaded the app and I saw that the localhost SSL certificate used by Chrome is different than the one registered on my computer, and therefore the CA is still not trusted.
I have found the issue:
Basically, for whatever reason, I had a localhost installed on my LocalComputer store certificates. This made me think that Visual Studio created it, in reality VS creates certificates in the CurrentUser store, as visible by the open code in the dotnet repo.
Typically the procedure, for generating and TLS certificate by VS, is expected to go as such:
A .NET Project is marked as HTTPS, and you try to run it.
VS checks if a certificate is present in the CurrentUser store, asks to create one if it's not
User clicks YES, to creating a certificate, initially the certificate is installed in the CurrentUser/Personal/Certificates store
VS then sees that you do not have a localhost certificate in CurrentUser/TrustedRootCA/Certificates, and makes a prompt to ask you if you would like to install one, you click YES - everything is done.
Now if for some reason you are like me... and your CurrentUser/Trusted Root Certification Authority/Certificates is read only. Then you end up on the following line of the code:
case EnsureCertificateResult.FailedToTrustTheCertificate:
reporter.Warn("There was an error trusting HTTPS developer certificate.");
Because well step 4 failed...
To mitigate this:
Open the CurrentUser and LocalComputer stores. You can do that by following this microsoft guide, or just type certlm.msc and certmgr.msc in the Start.
Right click Export on the localhost certificate in CurrentUser store and export it as with the default options
Try importing the same certificate in the Trusted Root Certification Authorities/Certificates folder of the CurrentUser store.
If step 3 failed,which it should have because you wouldn't be in this predicament otherwise, import your certificate in the Trusted Root Certification Authorities/Certificates folder of the LocalComputer store.
Now everything should work. Hopefully you wouldn't have spent 6 hours on this, like I did.
In my case this worked:
Clean the old certificate and generate a new trusted one. Run the commands listed below:
dotnet dev-certs https --clean
dotnet dev-certs https --trust
Go to %APPDATA%\Microsoft\UserSecrets and delete all of the directories
Re-run the application. It should now run with no SSL errors
source: https://joeblogs.technology/2021/11/neterr_cert_date_invalid/
I'm trying to replicate what Visual Studio does on F5 debugging in my .net core api application.
It seems that "dotnet run --project" is the trick that I'm looking for except for one thing:
When I run with F5, it runs on https and it is trusted.
When I run with dotnet run, it runs on https and it is NOT trusted.
And I seem to be having problems using the application even though it seems to be running.
Any thoughts? I would like to do the same trick that F5 does just in order to test my application, however dotnet run must be missing some sort of certificate or something?
I really don't want to have to change my source code or to do anything with certs, again, because it is working as designed on F5, just need to do the same trick for dotnet run.
Based on the documentation here, it seems like you need to install and trust the development certificate:
.NET Core SDK includes a HTTPS development certificate. The certificate is installed as part of the first-run experience.
While the certificate is installed at this stage, it goes on to say that:
Installing the .NET Core SDK installs the ASP.NET Core HTTPS development certificate to the local user certificate store. The certificate has been installed, but it's not trusted. To trust the certificate perform the one-time step to run the dotnet dev-certs tool.
To trust it, you should use the following command:
dotnet dev-certs https --trust
This should show a dialog prompting you to trust the certificate. Once this is done, you can start your project running again, and restart your browsers. This should allow you to access the site on https://localhost:portnumber
I am following an online tutorial to create an ASP.NET Core Web application. I followed everything but had trouble with trusting the local HTTPS certificate.
When I first run the application, I got an error saying:
"the access control list (acl) structure is invalid"
I tried googling this error but couldn't find anything related to my ASP.NET application, after cleaning the solution I didn't get this error any longer.
But I was unable to run my application in browser using HTTPS as it always says:
"This site is not secure"
I tried to trust certificate using CMD using this command:
dotnet dev-certs https --trust
It should show me a prompt to trust the certificate but it says "there was an error trusting the HTTPS developer certificate" and the application runs in an unsafe mode on the browser.
Can someone please help me run my application with HTTPS on my local environment? Any help will be greatly appreciated. Thanks
This seems to be a bug in ASP.NET Core 2.1:
what you need to do is go move your added certificates from your certificate manager.
go to start menu > Type "Win + R" type "certlm.msc", this will open your certificate manager.
go to Personal/Certificates
you will find a certificate named "localhost there.
Move that to "Trusted Root Certification Authorities/Certificates"
run the project again, and it should work.
Hope this helps.
I had the same problem in .NET 5. Running the command gave me the same error. After a few iterations I figured it out finally...
I was trying to create certificates manually through certlm.msc (local computer) but apparently the certificate should be created in certmgr.msc (current user). This is the place where the certificate gets saved when you run the command
dotnet dev-certs https --trust.
Windows + R and type certlm.msc
Go to Personal -> Certificates and export the localhost certificate with the same key (asks for password)
Go to Trusted Root Certification Authorities -> Certificates and right-click to click on Import
Browse and select the exported certificate
Place all certificates in the following store is selected and click on Browse again
Mark the checkbox: Show physical stores
Click on Trusted Root Certification Authorities and press on Local Computer
Finish everything
I had this issue in .net 6, solve it with help of this comment.
dotnet dev-certs https --clean
dotnet dev-certs https --trust
(maybe the clean is necessary as a first step...)
I have tried all the suggestions but eventually, The below solution worked for me.
Uninstall IIS Express via Add Remove Program
Run command: dotnet dev-certs https --clean
Re-install IIS Express by downloading it from the Microsoft website
Run the Asp.Net application from Visual Studio
Visual studio will prompt for generating a certificate, click yes.
In my case, it generated the certificate but failed to add the certificate to the trusted root with an error 'Access Denied'
Windows + R and type mmc
File > Add Snap-In
Select Certificates and click add
Select the 'Computer account' option and click finish, then click Ok.
Then expand the certificates(Local Computer) > Personal > Certificates
You will find a local host certificate with the friendly name 'ISS Express Development Certificate'
Select the certificate then cut and paste it into Trusted Root Certification Authorities -> Certificates
I am hosting my WCF service by NT Windows Service.
The Windows service runs under a local machine user, which is not included to the Local Machine Administrators Group.
The Wcf Service calls a 3rd Party WCF Service which is using a Client Certificate for the Client Authentication.
The Client Certificate is installed under "Personal" for the "Local Computer".
Additionally I have downloaded "Windows HTTP Services Certificate Configuration Tool" https://download.microsoft.com/download/4/5/b/45bab62d-cdd8-42c7-85d0-0275b96db2c5/winhttpcertcfg.msi and granted the NT Service User access to the Client Certificate
WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "*Cer CN*" -a "*My User*"
after service start I can reach the 3rd Party service successfully, but after a couple of hours of work I receive SSL Certificate error, which gets fixed after restarting the Windows Service
How can I fix this?
If your service is up and running before, but after a period of time, there will be an occasional failure, indicating that the SSL certificate chain has crashed.
I recommend that you update the Dotnetframework version or the operating system version, because the use of the certificate protocol requires a prerequisite.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
In addition, it is recommended that you do not use self-signed certificates, and in the certificate store, right click the certificate, All Tasks, manage the private keys menu to add the appropriate user groups.
Feel free to let me know If the problem still exists.
I am learning .Net Core.
I have developed WebApplication using ASP.Net MVC and as it can be installed and run on Local IIS.
What's the similar way to Host / Publish .Net Core WebApi in Ubuntu and Linux instead of running on specific port like 5000?
Is docker helpful for that context? If yes then how can I use it?
Is it possible to host / publish without docker? How can i Host / Publish without Docker?
I also read following link and implemented all steps.
Publish to a Linux Production Environment
In above link i am unable to identify what will be the url to access webapi?
As #Pawel has noted, the recommended way to host your .NET Core Web API or ASP.NET Core application is using Kestrel, the webserver which is built into the dotnet core tooling. For development purposes you do not need another webserver to start and test your api.
You do not need Docker to host your web application/API, but should consider it for production hosting because it's a clean, fast way to automate releases and isolate processes.
With Docker the process structure is the same - Docker just hosts and manages the processes. You would have Kestrel running you API in one Docker container, and Nginx (in another container or installed on the base OS) forwarding calls to it.
Hosting your API without Docker
On Ubuntu, use either Nginx (or Apache) to provide your public HTTPS, and configure it to forward requests to your Kestrel server, which typically runs on port 5000. If your server is running a firewall, do not expose port 5000, but open port 443 (HTTPS) on that machine. Setting up Nginx is covered in the article you referenced. As noted, not required just to start and test your Web API.
Kestrel is fast but very simple - eg. it does not support HTTPS (which you should use for a public API, because you will need authentication, and you can't authenticate securely without HTTPS. There are many other reasons to use Nginx/Apache over Kestrel - security, load balancing, reverse proxy capabilies etc.
Simple steps to get just you API running in a development setup
Ensure you are defining the appropriate runtime in you project.json
"runtimes": {
"win7-x64": {},
"win81-x64": {},
"ubuntu.14.04-x64": {},
"debian.8-x64": {}
}
Ensure that your project.json defines "emitEntryPoint": true in the buildOptions section.
Build your project for the platform you will deploy to: dotnet build -r ubuntu.14.04-x64 --build-profile Release
Publish you project for the platform: dotnet publish -r ubuntu.14.04-x64 --configuration Release -o ./bin/Release/Publish
Use the command line as I've shown to build and publish your app for Ubuntu - I have tried in VS 2015 Update 3 and had problems getting it to build for the right runtime
Copy the files in the Publish folder to your Ubuntu VM or server, and add any files you app needs to run, such as appsettings.json.
Ensure that the appropriate .NET Core framework is installed on your Linux machine.
Open a terminal window, sudo -i to get admin rights, cd to the folder where you put your binaries and run your api using : dotnet MyWebApi.dll where MyWebApi.dll is the main output of your build process.
At this point Kestrel should start with the usual message saying what port it is listening on (say, 5000). If it is a headless server, you should be able to call you Web API using curl:
curl http://localhost:5000/whatever/your/api/needs/here
If the Ubuntu box has a GUI (Gnome etc) you should be able to connect to your api with a browser.
If your Ubuntu server is not running a firewall, you should be able to connect to the Web API with a browser from another machine on the same network:
http://<linux-ip-address>:5000/whatever/your/api/needs/here
You can get the IP address of your Ubuntu server by typing ip addr show in a terminal window.
Notes
Managing your firewall is dependent on your Linux distro. If the server is public, you really must run one and use it to shut down access to you Kestrel service.
Setting up Docker is more complicated, too much to add here. Ask a separate question and I will document what I have done.
Note that when you run under IIS on Windows, exactly the same thing is happening: IIS forwards the requests to Kestrel on port 5000 or whatever you specify. Typically IIS is configured (via the web.config file generated by your publish) to start Kestrel when it is needed and keep it running. You could start your app manually on Windows with dotnet MyWebApi.dll and configure IIS to forward to it.
Running as I've described is fine when learning, but for production you would need to define you API to start as a Linux daemon and have Linux restart it if it crashes (Docker can also do this for you). IIS generally takes care of this for you.
Asp.NET Core application use a cross platform application web server called Kestrel. You can run your application with Kestrel directly (e.g. using dotnet run - very useful during devlepment) however it's not recommended expose Kestrel directly to the outside world, so in a production environment you would put IIS in front of your application when running on Windows or nginx when running on Linux. You can find a sample nginx config here: https://github.com/aspnet/ServerTests/blob/dev/test/ServerComparison.FunctionalTests/nginx.conf
You can specify url/port like this (in your "Program.cs" file):
public static void Main(string[] args) {
var host = new WebHostBuilder()
.UseKestrel()
.UseUrls("http://192.168.0.0:8080")
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>()
.Build();
host.Run();
}
Replace "192.168.0.0" with the actual ip or url in the UseUrls() method.
In your project directory just open a terminal/console window and run "dotnet run".
Make sure it says "Now listening on: 192.168.0.0:8080" (or the url/ip you put in).
The above example assumes you are using Startup for your startup class