28

I am getting the net::ERR_CERT_AUTHORITY_INVALID error in ASP.NET Core when I try to request my Web API from an SPA.

The first solution to fix the issue was to go my ASP.NET Core address from browser Advanced - Proceed to localhost (unsafe) and after that the requests from my SPA would work. But I would have to repeat the procedure each time I am starting to work on my project.

enter image description here

Another solution I found was this. In a nutshell the solution is to run the command: dotnet dev-certs https --trust. I am on Windows, so according to the linked article On Windows it'll get added to the certificate store.

But after I run the command I am still getting the net::ERR_CERT_AUTHORITY_INVALID issue on requests. What could I do about it?

some1 here
  • 646
  • 1
  • 8
  • 18
  • 3
    After running the command `dotnet dev-certs https --trust`, we need to close and reopen the browser. – CSS Nov 01 '22 at 06:41
  • 2
    @CSS thanks for the tip. I tried everything below and it didn't work until closed and reopened my browser. – Mark Good Jun 30 '23 at 17:42
  • I ran edge in Visual Studio, but it would not work until after I closed all instances of Edge on my PC. Then running the app worked. – JayTee Aug 22 '23 at 18:18

7 Answers7

18

Do this in the order

  1. dotnet dev-certs https --clean
  2. Remove your keys and pem from AppData\Roaming\ASP.NET\https
  3. dotnet dev-certs https --trust
  4. Run SPA project with "start": "set HTTPS=true&&react-scripts start"

If you run your project(Point 4) before anything else. The authority is not trusted(done by 3) and results in authority invalid errors

trixo
  • 544
  • 4
  • 14
17

Running the command dotnet dev-certs https --trust will create a self-signed certificate in your device. This certificate will be issued to the localhost domain. In my case, after running it, the certificate was created but it was not added to "Trusted Root Certification Authorities".

certmgr.msc

To add the certificate, you will need to open certmgr.msc (win+r and run certmgr.msc), then go to "Personal" certificates and export the .cer certificate issued to localhost with the correct expiration time.

If you cannot find the certificate there, you can go to the browser and click on the not secure connection icon, then open the invalid certificate and go to the Details tab and click "Copy to File...", which should create also a .cer certificate.

browser certificate

Next, go to "Trusted Root Certification Authorities" and import the certificate there. Once that is done, the certificate will be valid in your local machine. You may need to restart the browser and the service.

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
IsaacCampos
  • 171
  • 1
  • 3
9

In my case this worked:

Clean the old certificate and generate a new trusted one. Run the commands listed below:

  1. dotnet dev-certs https --clean
  2. dotnet dev-certs https --trust

Go to %APPDATA%\Microsoft\UserSecrets and delete all of the directories --> this is very important

Re-run the application. It should now run with no SSL errors

source: https://joeblogs.technology/2021/11/neterr_cert_date_invalid/

Omer
  • 8,194
  • 13
  • 74
  • 92
4

In your application, add a reference to the Microsoft.AspNetCore.Authentication.Certificate via NuGet package. Then in the Startup.ConfigureServices method write this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(
        CertificateAuthenticationDefaults.AuthenticationScheme)
        .AddCertificate();

    // All other service configuration
}

Also add app.UseAuthentication(); in the Startup.Configure method. Otherwise, the HttpContext.User will not be set to ClaimsPrincipal

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
   app.UseAuthentication();

    // All other app configuration
}

Source: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1

Rohan Rao
  • 2,505
  • 3
  • 19
  • 39
  • @MarkEntingh, the answer is correct. You should check the linked source more carefully if you have any doubts. – some1 here Jan 02 '21 at 18:10
  • It's strange, the app works correctly on two other developer machines. This third one (a fresh install of VS2019) has the problem. When I tried this suggestion on that machine, the result changed from ERR_CERT_AUTHORITY_INVALID to 403 (Forbidden). Perhaps this authentication module interferes with the `AddMicrosoftIdentityWebApiAuthentication` we were already using? – Qwertie Aug 13 '21 at 11:14
  • I found that by reversing the order of the calls — by calling `AddAuthentication` before `AddMicrosoftIdentityWebApiAuthentication` — the error disappears from Chrome, but Firefox shows a new error (`MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT` in Network | Security subtab) – Qwertie Aug 13 '21 at 12:07
1

For Ubuntu, you need some extra steps:

  1. Run sudo apt-get install libnss3-tools
  2. Run ls $HOME/.pki/nssdb to check if this directory exists.
  3. If not, then run mkdir $HOME/.pki/nssdbto create the directory.
  4. Export the certificate with dotnet dev-certs https then sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
  5. Run the commands sudo certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /usr/local/share/ca-certificates/aspnet/https.crt and sudo certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /usr/local/share/ca-certificates/aspnet/https.crt

Restart the browser.

More details in this link (for Ubuntu and other Linux distros too).

Alisson Reinaldo Silva
  • 10,009
  • 5
  • 65
  • 83
0

While we all wish that "dotnet dev-certs https --trust" did all these chores; the reality is that Microsoft's tools are not that robust. It only wasted 5 hours in my case!

A lot of clues came from various StackOverflow.com answers including that of @trixo on this very thread.

Stop IIS Express

by right clicking on its tray icon and then click on Exit

On the command prompt issue the following commands

  • dotnet dev-certs https --clean
  • dotnet dev-certs https --trust

Repair IIS Express

Control Panel > Programs and Features > Locate IIS Express > right click and click on "Repair"

Denny Jacob
  • 375
  • 4
  • 9
-2

I followed these steps and it didn't stop the "Not secure" message appearing in Chrome. So then I tried commenting the following line //app.UseHttpsRedirection(); in startup.cs in the Configure() method and it fixed the problem.

Mark Willis
  • 5
  • 1
  • If you comment `app.UseHttpsRedirection()` out all that does is bypass the issue. It's just telling the application to not redirect to https. Example if you usually spin up `https://localhost:5001`, commenting this out would spin up `http://localhost:5000` and yes you would not get the error anymore as it's no longer using https. I guess which is fine if you don't require to using https. – Matt Fricker Feb 01 '22 at 12:36
  • 1
    I tired the answer and didn't work, then I tried this as well and it didn't work. I don't understand why they got to protect a simple ASP .NET server and angualr project like it is a terrorist attack via the net. – Franco Mar 23 '22 at 19:26