CertificateRequest.CreateSelfSigned fails on macOS Sequoia
#106775
Comments
|
@Annny-Cap-Daniel Can you please try again with the |
|
Thanks for your prompt reply!
and |
|
I'm getting the same thing. Same exact output. |
|
@vcsjones Could this be another change on Apple's end? |
|
Possibly relevant: dotnet/aspnetcore#19590 (comment) |
|
I am on Sequoia. Beta 7. |
|
What happens if you run this console app? using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
var subject = new X500DistinguishedName("CN=localhost");
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
var keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, critical: true);
var enhancedKeyUsage = new X509EnhancedKeyUsageExtension(
[ new Oid("1.3.6.1.5.5.7.3.1", "Server Authentication") ],
critical: true);
var basicConstraints = new X509BasicConstraintsExtension(
certificateAuthority: false,
hasPathLengthConstraint: false,
pathLengthConstraint: 0,
critical: true);
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(basicConstraints);
request.CertificateExtensions.Add(keyUsage);
request.CertificateExtensions.Add(enhancedKeyUsage);
request.CertificateExtensions.Add(sanBuilder.Build());
var notBefore = DateTimeOffset.UtcNow.AddDays(1);
var notAfter = notBefore.AddDays(1);
using var cert = request.CreateSelfSigned(notBefore, notAfter);
Console.WriteLine(cert is not null);It creates a cert that's similar to the dev cert without all the extra baggage of being a dotnet tool. |
|
I'm on MacOS Sequoia (15.0 Beta 24A5327a). Just ran the sample console app and get the same exception as in the dotnet tool: |
|
And what if you change this? -certificateAuthority: false,
+certificateAuthority: true, |
|
same exception unfortunately. |
That's actually good news because it means they haven't decided they don't like the slightly unusual shape of our certificate. |
amcasey
changed the title
dotnet dev-certs https fails on macOS SequoiaCertificateRequest.CreateSelfSigned fails on macOS Sequoia
dotnet-policy-service
bot
added
the
untriaged
|
Moving this to |
|
I don't know when we're going to have a chance to look at this (not "indefinitely far", but probably "at least several days away"). We have a few small fires to deal with for the .NET 9 release on already in-market OSes, and are super-saturated on those tasks. If anyone from the community at large wants to jump in and help debug what's going on, that'd be appreciated. |
bartonjs
added
the
help wanted
jeffhandley
removed
the
untriaged
|
first try enabling verbose logging to get more detailed error messages using export DOTNET_CLI_TELEMETRY_OPTOUT=1
export DOTNET_MULTILEVEL_LOOKUP=0
dotnet dev-certs https --trust --verboseand several common troubleshooting steps would include to clear existing certificates manually or you use the security find-certificate -a
security delete-certificate -c "ASP.NET Core HTTPS development certificate"also did you ensure that your user account has the necessary permissions to access the keychain, tried creating a certificate manually using openssl ? |
|
same problem: dotnet dev-certs https --trust --verbose [1] Listing certificates from CurrentUser\My [1] Listing certificates from CurrentUser\My |
|
This almost certainly looks like another lifetime issue. I should be able to take a look by the end of the week. |
|
Before I get to it, any chance someone can try on .NET 9 preview 7 (or later)? |
|
Okay, curiosity took over so I had a peek. The "good news" is that our unit tests fail and reproduce the issue: The other "good news" is that this is the only thing that fails on macOS 15. |
vcsjones
added
os-macos-sequoia (macOS15)
and removed
help wanted
|
@adityamandaleeka the fix is not present in the |
|
Hey same error MacOs Sequoia final version! |
Yep. This will be fixed in the October patch cycle for .NET. See the corresponding announcement for additional information. |
|
Any update or workaround here? Our team is blocked because of this. Should we just reinstall the old version of Mac OS just to have this command work? |
|
I am not aware of any work arounds. If downgrading is an option, that seems reasonable. The only other option would be to wait until the October release of .NET. |
|
This shouldn't be closed until there is a release out the door. And someone internal should be making the call to release an emergency patch release .402 that fixes this. |
Agreed. Otherwise pointing to some documented steps on how to manually generate the certification and import it using the dotnet CLI would be better than a "wait until the October update train" hand-waive. We don't all have the luxury of not upgrading to Apple's latest OS because we're not all just dotnet developers. |
|
So all the users of the modern Mac OS is blocked from using .net and you just tell to wait for the October release? Guys, it looks like a critical issue and the fix should be deployed in hours, not even days... |
|
Dont think its the best but it works for the time being. Generating a self signed crt + key, convert it to a pfx and then configure the app to use that appsettings.Development.json At least i can now continue development. |
it helps me to run webapp (but I had to add config in the Program.cs) but I still can't make requests from android emulator. |
|
Workaround that worked for me:
After that it ask for password install the certificate and debugging of my 8.0 app works again. |
|
@pvasek xattr -d com.apple.quarantine -r dotnet-sdk-9.0.100-rc.2.24473.20-osx-arm64 |
|
@kalebzettl @pvasek Thanks, that worked for me. Here's a consolidated instruction set:
|
|
.NET 8.0.10 is already available and feels like it contains the fix. |
This worked great for me! Thanks! |
It doesn't fix it. This is still broken. Not sure how this isn't resolved yet. Entire platform completely broken without hacking with pre-release software. |
I was not able to reproduce this with Sequoia and .NET 8.0.10. Can you please be more specific about the error you are getting, steps to reproduce, and the output of 
|
|
ok, for anyone that hits this: dotnet dev-certs https --clean Will work if it doesn't just work automatically. Thanks @vcsjones for the clean suggestion. PS: MS Mac fix for Sequoia should be in the release notes and called out exactly how to fix this. |
|
I have had the same issue. I have downloaded the latest SDK (SDK 8.0.403) and it worked for me. Thanks for your help. |
|
For .NET 6, it doesn't work. I uninstalled all my .NET SDKs and Runtimes and installed the latest .NET 6 version. However, when I create a new certificate and run
Do you have any suggestions? I'm working on an Intel iMac and currently can't proceed with my .NET Core projects. I need .NET 6 for a customer project. I also installed version 6.0.427, but the same issue persists. Thanks in advance! |
This issue is specifically about people getting the error "There was an error creating the HTTPS developer certificate.". However, it looks you just need to run |
|
a workaround to add a functioning localhost certificate is posted in this post: https://dev.to/michaelcharles/fixing-the-https-developer-certificate-error-in-net-on-macos-sequoia-516h |
and others
Update: repro app here
Is there an existing issue for this?
Describe the bug
the command
dotnet dev-certs httpsfails with the error:There was an error creating the HTTPS developer certificate.Exception:
What I already tried:
dotnet dev-certs https --cleanNothing changed the behaviour and i still get the same error.
Expected Behavior
the certificate should be created.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.401
Anything else?
The text was updated successfully, but these errors were encountered: