本文介绍了如何运行“dotnet dev-certs https --trust"?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是 ASP.NET 的新手.

I'm new in ASP.NET.

环境:

  • Ubuntu 18.04

  • Ubuntu 18.04

Visual Studio 代码

Visual Studio Code

.NET SDK 2.2.105

.NET SDK 2.2.105

我在运行某些命令时遇到了麻烦.

I'm in trouble with some command running.

我正在

https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-工作室代码

并运行此命令:

dotnet dev-certs https --trust

我希望 https://localhost 应该被信任.但我发现了错误信息;

I expect https://localhost should be trusted.but I found the error message;

$ Specify --help for a list of available options and commands.

dotnet dev-certs https"命令似乎没有 --trust 选项.如何解决这个问题?

It seems that the command "dotnet dev-certs https" has no --trust options.How to resolve this problem?

推荐答案

在 Ubuntu 上,标准机制是:

On Ubuntu the standard mechanism would be:

  • dotnet dev-certs https -v 生成自签名证书
  • 使用 openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • localhost.crt复制到/usr/local/share/ca-certificates
  • 使用 sudo update-ca-certificates 信任证书
  • 验证证书是否复制到 /etc/ssl/certs/localhost.pem(扩展更改)
  • 使用openssl verify localhost.crt
  • 验证它是否可信
  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it's trusted using openssl verify localhost.crt

不幸的是这不起作用:

  • dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed

  • 因为不可能让 dotnet 客户端信任证书
  • 解决方法:(在 Openssl 1.1.1c 上测试)

    Workaround: (tested on Openssl 1.1.1c)

    1. 手动生成自签名证书
    2. 信任这个证书
    3. 强制您的应用程序使用此证书

    详细说明:

    1. 手动生成自签名证书:

    1. manually generate self-signed cert:

    • 创建具有以下内容的 localhost.conf 文件:
    [req]
    default_bits       = 2048
    default_keyfile    = localhost.key
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    x509_extensions    = v3_ca
    
    [req_distinguished_name]
    commonName                  = Common Name (e.g. server FQDN or YOUR name)
    commonName_default          = localhost
    commonName_max              = 64
    
    [req_ext]
    subjectAltName = @alt_names
    
    [v3_ca]
    subjectAltName = @alt_names
    basicConstraints = critical, CA:false
    keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
    
    [alt_names]
    DNS.1   = localhost
    DNS.2   = 127.0.0.1
    

    • 使用openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf 生成证书
    • 使用openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
    • 将证书转换为pfx
    • (可选)使用 openssl verify -CAfile localhost.crt localhost.crt 验证证书,它应该产生 localhost.crt: OK
    • 因为它不被信任,所以使用 openssl verify localhost.crt 应该失败
      • generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
      • convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
      • (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
      • as it's not trusted yet using openssl verify localhost.crt should fail with
      • CN = localhost
        error 18 at 0 depth lookup: self signed certificate
        error localhost.crt: verification failed
        
        1. 信任这个证书:

        1. trust this cert:

        • 将 localhost.crt 复制到 /usr/local/share/ca-certificates
        • 使用 sudo update-ca-certificates 信任证书
        • 验证证书是否复制到 /etc/ssl/certs/localhost.pem(扩展更改)
        • 现在应该可以在没有 CAfile 选项的情况下验证证书
        • copy localhost.crt to /usr/local/share/ca-certificates
        • trust the certificate using sudo update-ca-certificates
        • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
        • verifying the cert without the CAfile option should work now
        $ openssl verify localhost.crt 
        localhost.crt: OK
        
        1. 强制您的应用程序使用此证书

        1. force your application to use this cert

        • 使用以下设置更新您的 appsettings.json:
        "Kestrel": {
          "Certificates": {
            "Default": {
              "Path": "localhost.pfx",
              "Password": ""
            }
          }
        }
        

        这篇关于如何运行“dotnet dev-certs https --trust"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-25 00:30