Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opendict Certificate fail at X509CopyWithPrivateKey at macOS Sequoia #20920

Closed
1 task done
thebigkhaled opened this issue Sep 28, 2024 · 3 comments
Closed
1 task done

Opendict Certificate fail at X509CopyWithPrivateKey at macOS Sequoia #20920

thebigkhaled opened this issue Sep 28, 2024 · 3 comments

Comments

@thebigkhaled
Copy link

thebigkhaled commented Sep 28, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Description

I’m encountering an issue with a newly generated project after updating to macOS Sequoia (15). After completing the migration successfully, the problem arises when attempting to run the project. Initially, I had trouble with .NET certificate generation, but I was able to resolve that by following the workaround for CertificateRequest.CreateSelfSigned on macOS Sequoia.

CertificateRequest.CreateSelfSigned fails on macOS Sequoia

Even after successfully generating the development certificate, I’m still encountering an error related to the opendict certificate. I suspect this is due to macOS Sequoia’s updated security policies. While the workaround works fine for .NET APIs, it doesn’t seem to resolve the issue for Abp projects.

.NET is expected to release an emergency update in October to address this problem, but in the meantime, does anyone have suggestions for a fix ?

Exception thrown: 'Volo.Abp.AbpInitializationException' in System.Private.CoreLib.dll: 'An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=8.3.1.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.'

 Inner exceptions found, see $exception in variables window for more details.
 Innermost exception 	 Interop.AppleCrypto.AppleCommonCryptoCryptographicException : The specified item is no longer valid. It may have been deleted from the keychain.
   at Interop.AppleCrypto.X509CopyWithPrivateKey(SafeSecCertificateHandle certHandle, SafeSecKeyRefHandle privateKeyHandle, SafeKeychainHandle targetKeychain)
   at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(SafeSecKeyRefHandle privateKey)
   at System.Security.Cryptography.X509Certificates.AppleCertificatePal.CopyWithPrivateKey(RSA privateKey)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, RSA privateKey)
   at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.<ConfigureServicesAsync>d__29.MoveNext()

Reproduction Steps

  1. Generate new application using cli on macOS sequoia.
abp new newApp -csf -u angular -m react-native --skip-migrations --skip-migrator -d ef -cs Server=Server=localhost,1433;User ID=SA;Password=Pass@1234;Database=MainDB;Encrypt=false;TrustServerCertificate=true;
  1. Run migration and then run the app

Expected behavior

No response

Actual behavior

No response

Regression?

No response

Known Workarounds

1. download the tar.gz version of nightly build of upcoming dotnet, can be found in [package-table.md](https://github.com/dotnet/sdk/blob/main/documentation/package-table.md)
2. Unpack it
3. Go to that unpacked folder
4. Run ./dotnet dev-certs https --trust (it's important to use ./ otherwise it use the installed dotnet)

Version

8.3.1

User Interface

React Native

Database Provider

EF Core (Default)

Tiered or separate authentication server

Tiered

Operation System

macOS

Other information

No response
@thebigkhaled
Copy link
Author

I found a workaround solution to use the production certificate running dotnet dev-certs https -v -ep openiddict.pfx -p db1e01bd-e51c-4345-8255-c789e345940a --trust then change the environment to production in

        if (true)
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
            {
                serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "db1e01bd-e51c-4345-8255-c789e345940a");
                serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }

@faresbouzayen
Copy link

Update to the Latest .NET SDK: Ensure you are using the latest .NET SDK that might have fixes for macOS Sequoia issues. Regularly check the official .NET GitHub repository for updates.

Modify Configuration:

If using the workaround with the production certificate, make sure to set the environment correctly in your configuration:
csharp
Copy code
if (true)
{
PreConfigure(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});

PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
    serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "db1e01bd-e51c-4345-8255-c789e345940a");
    serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});

}
File a Detailed Bug Report: If not already done, consider filing a bug report on the .NET repository, including all the details and your findings. This can help improve future updates and potentially address your issue more promptly.

Community Support: Engage with the ABP community or relevant forums for any potential fixes or shared experiences from other developers facing similar issues.

Review Keychain Access: Since the error indicates that the certificate may have been deleted from the keychain, ensure that the certificate exists and is accessible in your macOS Keychain. You may need to re-add it if it's missing.

@maliming maliming self-assigned this Sep 30, 2024
@maliming maliming removed the bug label Sep 30, 2024
@maliming maliming closed this as completed Oct 3, 2024
@maliming maliming removed their assignment Oct 3, 2024
@maliming
Copy link
Member

maliming commented Oct 3, 2024

Thanks @faresbouzayen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thebigkhaled @maliming @faresbouzayen