You are not logged in.
Hello,
I am trying to trust a self signed across my system, but am having trouble getting the certificate to be trusted everywhere.
So far I have tried:
- Generated a .crt from my certificate and run:
trust anchor --store ./localhost.crt- Generated a .pem from my certificate and run:
cp ./localhost.pem /etc/ca-certificates/trust-source/anchors/trust extract-compatupdate-ca-trustCurrently, only chromium is happy with the certificate.
trust listShows my certificate:
pkcs11:id=...id...;type=cert
type: certificate
label: localhost
trust: anchor
category: other-entry
... more However if I attempt to curl the url:
curl -v https://localhost:8080/
* Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned aboveand
cat /etc/ssl/certs/ca-certificates.crt | grep -i localhostshows it isn't in there.
(I am aware I can pass curl a certificate file, or tell it to ignore TLS errors, but I am only using it for testing. My issue is around multiple applications communicating locally over https.)
Last edited by george_p (2019-12-12 18:20:11)
Offline
[...]my certificate:
pkcs11:id=...id...;type=cert type: certificate label: localhost trust: anchor category: other-entry
See [SOLVED] Can I trust self-signed SSL certificate?.
TL;DR there are self-signed certificates, and then there are CA certificates (with "basicConstraints = CA:true").
--
saint_abroad
Offline
Thank you! Not sure how I missed that post.
If anyone is coming from a search engine:
Don't.
Generate your own certificates and pfx, inputting a password when prompted:
(Lightly adapted from: [SOLVED] Can I trust self-signed SSL certificate?)
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt \
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr \
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl pkcs12 -export -out "$domain".pfx -inkey "$domain".key -in "$domain".crtTrust your certificate authority:
sudo trust anchor ca.crt Set your ASPNETCORE environment variables appropriately:
export ASPNETCORE_Kestrel__Certificates__Default__Password="password for pfx"export ASPNETCORE_Kestrel__Certificates__Default__Path="full path to localhost.pfx"Offline
@george_p
Hi, I created ca files with your script. And executed `update-ca-trust`. But `dotnet run` still didn't work.
I try to import the pfx with `dotnet dev-certs https --clean --import localhost.pfx -p <password>`. But it threw `The certificate at 'path/to/localhost.pfx' is not a valid ASP.NET Core HTTPS development certificate.`
Do you know how to make a valid one?
Offline