CertificateRequest.CreateSelfSigned fails on macOS Sequoia
#106775
Comments
|
@Annny-Cap-Daniel Can you please try again with the |
|
Thanks for your prompt reply!
and |
|
I'm getting the same thing. Same exact output. |
|
@vcsjones Could this be another change on Apple's end? |
|
Possibly relevant: dotnet/aspnetcore#19590 (comment) |
|
I am on Sequoia. Beta 7. |
|
What happens if you run this console app? using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
var subject = new X500DistinguishedName("CN=localhost");
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
var keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, critical: true);
var enhancedKeyUsage = new X509EnhancedKeyUsageExtension(
[ new Oid("1.3.6.1.5.5.7.3.1", "Server Authentication") ],
critical: true);
var basicConstraints = new X509BasicConstraintsExtension(
certificateAuthority: false,
hasPathLengthConstraint: false,
pathLengthConstraint: 0,
critical: true);
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(basicConstraints);
request.CertificateExtensions.Add(keyUsage);
request.CertificateExtensions.Add(enhancedKeyUsage);
request.CertificateExtensions.Add(sanBuilder.Build());
var notBefore = DateTimeOffset.UtcNow.AddDays(1);
var notAfter = notBefore.AddDays(1);
using var cert = request.CreateSelfSigned(notBefore, notAfter);
Console.WriteLine(cert is not null);It creates a cert that's similar to the dev cert without all the extra baggage of being a dotnet tool. |
|
I'm on MacOS Sequoia (15.0 Beta 24A5327a). Just ran the sample console app and get the same exception as in the dotnet tool: |
|
And what if you change this? -certificateAuthority: false,
+certificateAuthority: true, |
|
same exception unfortunately. |
That's actually good news because it means they haven't decided they don't like the slightly unusual shape of our certificate. |
amcasey
changed the title
dotnet dev-certs https fails on macOS SequoiaCertificateRequest.CreateSelfSigned fails on macOS Sequoia
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
Moving this to |
|
I don't know when we're going to have a chance to look at this (not "indefinitely far", but probably "at least several days away"). We have a few small fires to deal with for the .NET 9 release on already in-market OSes, and are super-saturated on those tasks. If anyone from the community at large wants to jump in and help debug what's going on, that'd be appreciated. |
bartonjs
added
the
help wanted
jeffhandley
removed
the
untriaged
|
first try enabling verbose logging to get more detailed error messages using export DOTNET_CLI_TELEMETRY_OPTOUT=1
export DOTNET_MULTILEVEL_LOOKUP=0
dotnet dev-certs https --trust --verboseand several common troubleshooting steps would include to clear existing certificates manually or you use the security find-certificate -a
security delete-certificate -c "ASP.NET Core HTTPS development certificate"also did you ensure that your user account has the necessary permissions to access the keychain, tried creating a certificate manually using openssl ? |
|
same problem: dotnet dev-certs https --trust --verbose [1] Listing certificates from CurrentUser\My [1] Listing certificates from CurrentUser\My |
|
This almost certainly looks like another lifetime issue. I should be able to take a look by the end of the week. |
This comment was marked as outdated.
This comment was marked as outdated.
|
Okay, curiosity took over so I had a peek. The "good news" is that our unit tests fail and reproduce the issue: The other "good news" is that this is the only thing that fails on macOS 15. |
vcsjones
added
os-macos-sequoia (macOS15)
and removed
help wanted
dotnet-policy-service
bot
added
the
in-pr
|
This is a behavioral change for macOS 15. I have a fix put up for it, but unfortunately there are no reasonable work around at the moment. The core of the issue is that
|
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@adityamandaleeka the fix is not present in the |
|
Hey same error MacOs Sequoia final version! |
Yep. This will be fixed in the October patch cycle for .NET. See the corresponding announcement for additional information. |
|
Any update or workaround here? Our team is blocked because of this. Should we just reinstall the old version of Mac OS just to have this command work? |
|
I am not aware of any work arounds. If downgrading is an option, that seems reasonable. The only other option would be to wait until the October release of .NET. |
|
This shouldn't be closed until there is a release out the door. And someone internal should be making the call to release an emergency patch release .402 that fixes this. |
Agreed. Otherwise pointing to some documented steps on how to manually generate the certification and import it using the dotnet CLI would be better than a "wait until the October update train" hand-waive. We don't all have the luxury of not upgrading to Apple's latest OS because we're not all just dotnet developers. |
|
So all the users of the modern Mac OS is blocked from using .net and you just tell to wait for the October release? Guys, it looks like a critical issue and the fix should be deployed in hours, not even days... |
Update: repro app here
Is there an existing issue for this?
Describe the bug
the command
dotnet dev-certs httpsfails with the error:There was an error creating the HTTPS developer certificate.Exception:
What I already tried:
dotnet dev-certs https --cleanNothing changed the behaviour and i still get the same error.
Expected Behavior
the certificate should be created.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.401
Anything else?
The text was updated successfully, but these errors were encountered: