cannot trust development https self-signed certificate in ubuntu 18.04.2 LTS

Question

I created a rest api project and I'm tring to access the https endpoint using curl like this:

$ dotnet new angular

$ curl -I -X GET 'https://localhost:5001/api/SampleData/WeatherForecasts'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I googled around and these are the steps I took to extract the certificate from dotnet and add it to my repository of trusted CA certificates:

This is what I tried to do to add the certificate


# export netcore development certificate
$ dotnet dev-certs https -ep ~/tmp/localhost.pfx -p somepassword

# convert it to crt
$ openssl pkcs12 -in ~/tmp/localhost.pfx -clcerts -nokeys -out ~/tmp/localhost.crt

# copy to a folder in /usr/local/share/ca-certificates/ 
$ cd /usr/local/share/ca-certificates/
$ sudo mkdir dotnet_devel
$ sudo chmod -R 755 dotnet_devel
$ mkdir dotnet_devel
$ cd dotnet_devel
$ sudo cp ~/tmp/localhost.crt .
$ sudo chmod -R 644 localhost.crt

# update CA trusted certificates repository
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:localhost.pem
done.
done.

I also tried setting the CURL_CA_BUNDLE env var like this:

$ export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/dotnet_devel/localhost.crt

I keep getting the same curl error, more over, firefox and chrome tells me the connection is not secure

Additional info:

$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.2.203
 Commit:    e5bab63eca

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  18.04
 OS Platform: Linux
 RID:         ubuntu.18.04-x64

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

References:

https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line/649463#649463

https://github.com/aspnet/AspNetCore/issues/7246#issue-406461992

https://curl.haxx.se/docs/sslcerts.html

Alright, did some more research and summarized my findings here: https://stackoverflow.com/a/59702094/3167480 — chrisvdb, Jan 13 '20 at 02:02

score 0 · Answer 1 · answered Jan 13 '20 at 02:04

You don't show the output of openssl validate localhost.crt but I think you might be affected by this issue: https://github.com/openssl/openssl/issues/1418. I have worked around the issue by manually creating a cert instead: https://stackoverflow.com/a/59702094/3167480.

cannot trust development https self-signed certificate in ubuntu 18.04.2 LTS

1 Answers1