ASP.NET Core developer certificate is not trusted

mexico-johnny · May 4, 2023, 5:43pm

I’m constructing a dotnet web application using aspnetcore and running into the following error when starting it up.

...
10:52:08 WRN] The ASP.NET Core developer certificate is not trusted. For information about trusting the ASP.NET Core developer certificate, see [https://aka.ms/aspnet/https-trust-dev-cert](https://aka.ms/aspnet/https-trust-dev-cert.).
...

Unfortunately, the instructions outlined in section “Trust HTTPS certificate on Linux using Edge or Chrome” do not cover NixOS, so I’ve attempted to adapt them, but I’m not having much success.

Install nss tools. Done.
Create or verify the $HOME/.pki/nssdb folder exists on the machine.

$ ll $HOME/.pki/nssdb
total 68
-rw------- 1 jdaly users 28672 May  4 10:44 cert9.db
-rw------- 1 jdaly users 36864 May  4 10:44 key4.db
-rw------- 1 jdaly users   446 May  1 16:44 pkcs11.txt

Looks to contain ‘cert’-like stuff.

Export the certificate with the following command:

dotnet dev-certs https
sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM

What’s the proper NixOS export path?

Run the following commands:

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /usr/local/share/ca-certificates/aspnet/https.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /usr/local/share/ca-certificates/aspnet/https.crt

Again, what’s the proper NixOS path?

- Exit and restart the browser.

Any help and/or the appropriate nixos-way to setup this cert up would be much appreciated. Thx.

Sandro · May 4, 2023, 8:49pm

Use the security.pki.certificates or security.pki.certificateFiles option.

mexico-johnny · May 5, 2023, 2:19pm

Hmmm, while I appreciate the tip/suggestion – I really have no idea what or how to employ this setting. Searching around the web and this forum I can see that many others have had similar questions and problems.

Any chance for us novices that someone can spell out the steps and/or point to the documentation that clearly describes this feature?

Thanks.

EzekielEnns · May 8, 2024, 3:01pm

This took way too long to figure out:

go to your dotnet project
run dotnet dev-certs https --format PEM -ep server.crt note name dose not matter
cat that out and copy it to your clip board cat server.crt or pipe to clip
in your nixos config:

      security.pki.certificates= [
''
-----BEGIN CERTIFICATE-----
past her in
-----END CERTIFICATE-----
''
];

do a sudo nixos-rebuild switch might need to reboot, on your next dotnet run you will still see the warning saying your cert is not trusted this can be ignored
note this is only for service to service, for chrome or anything like that you will need to deal with this differently I strongly recommend doing chromium --allow-insecure-localhost localhostURL to deal with that

So why does this one work and not the other one?
Well this comment seems to mention how certificateFiles requries a Certificate Authority (CA) but these dev certs do not have them, so somehow some way self-signed certs work with this config option and not the other (check the comment there might be an explanation there)