J

5

22

I just started working on a .NET project again that I hadn't touched in about a month, and suddenly in my localhost environment I'm getting ERR_CERT_AUTHORITY_INVALID errors when I try starting my application. I used dotnet dev-certs commands to regenerate the localhost certificate, but what's weird is it looks like Chrome is sourcing this localhost certificate from elsewhere. In the Developer Tools pane, I see this (notice the Validity Period):

I don't know why it shows that invalid Validity Period because I just generated a new localhost cert tonight, and I've blown away Chrome's SSL cache numerous times tonight. The following certificate appears in both the Personal > Certificates and Trusted Root Certification Authorities sections of certmgr.

Could someone please help me understand why Chrome thinks my localhost cert is from an invalid authority and how I can correct this issue? The last valid version came from the exact same place (although I think something else might have generated it because I don't recall using dotnet dev-certs CLI commands to create the original cert).

Jer answered 3/10, 2022 at 6:18 Comment(5)

Why do you think it's from valid authority? It appears to be a self-signed certificate. – Popular 3/10, 2022 at 11:17

Because Chrome wasn't complaining about this a month ago, so I don't know what changed. I only understand SSL at a high-level. Judging by the first screenshot, Chrome is trying to use a certificate that's no longer valid, but I don't know where the heck it's getting that from since I've cleared the SSL state and I've regenerated the localhost cert via dotnet dev-certs. – Jer 3/10, 2022 at 15:29

I don't know what happened before on your system so I don't what the certificate looked like before, but even if you had previously used a self-signed certificate and added it manually to the list of trusted certificates, generating a new one would require to repeat that process all over again. Just because previous certificate with name localhostwas trusted doesn't mean a different certificate with the same domain name will be trusted. Otherwise a MiTM attacker could just create their own certificate with domain localhost and get access to your TLS traffic. – Popular 3/10, 2022 at 17:19

I've gotten an idea from this: ryadel.com/en/… -- When looking last night, I do recall initially that there were at least 5 certificates for localhost; all of them expired. Perhaps it's possible I haven't found all of them, and thus Chrome is getting a certificate where I'm not expecting; hence the Expires On date in the first image. I'm gonna try looking for all localhost certs tonight. – Jer 3/10, 2022 at 18:36

Well I tried the suggestion on that article and now I'm getting an ERR_CONNECTION_RESET error when I try booting the site. This is progress I suppose. It looks like the main thing was that after deleting the old certs, I needed to clear SSL state, THEN generate a new self-signed cert. However I need to figure out this ERR_CONNECTION_RESET error now. – Jer 4/10, 2022 at 0:48

J

8

Well this is incredibly stupid. After wasting hours last night and an hour or two tonight of trying fixes I found in blogs and whatnot, an answer on a similar StackOverflow question stated I should attempt repairing my Visual Studio install. Sure enough, doing that resolved the issue.

After I repaired my Visual Studio install and loading up my project I was having HTTPS issues with, I got a dialog box from VS2022 like the one below (snipped from bing.com/images since I dismissed my dialog while trying to fix this) and I selected "Yes".

This added a new certificate but strangely it only added it to the Trusted Root Certification Authorities in certmgr and not to Personal, whereas the one I generated from dotnet dev-certs CLI commands created two; one in Trusted Root Certification Authorities and the other in Personal. The below screenshot shows both certificates; "IIS Express Development Certificate" is the one that resolved the issue and the one that was created by repairing VS2022.

I don't know why VS2022 didn't prompt me to renew the certificate after it was expired. On the bright side, assuming this never gets addressed in a future iteration of Visual Studio, after going through this experience I'm sure that by 10/3/2027 that I'll remember everything that transpired here today and that I must repair my installation of VS20XX if I want to avoid wasting hours of my time due to a localhost SSL certificate expiration.

Jer answered 4/10, 2022 at 2:13 Comment(1)

Repairing the installation, including saying yes to trusting the new development certificate generated in the process, did not fix this for me. – Zymogenesis 1/12, 2022 at 23:13

R

29

After I have spent lot of times of searching the solutions, finally I am able to solve it by following the steps below. Hopefully, this will save your days.

open dev tools in chrome, go to Security tab and click on the View certificate.
go to Details tab and click Copy to File...
then Certificate Export Wizard windows will pop up and click the Next button to continue.
remain DER encoding options, click Next and choose Browse, save it and name the certificate as localhost.cer. You should see your saved certificate on your saved path chosen just now.
open chrome://settings/ by copy this in the browser url box.
choose Privacy and security in the side menu > Security > Advanced > Managed Certificates
Certificates window will pop up as below. Choose Trusted Root Certificate Authorities tab and click Import...
import the localhost certificate which saved to chosen path just now at steps 4.
click browse to import the locahost.cer and click Yes to finish the import certificate process.
Close everything and restart your chrome browser. Remember to rebuild and rerun your project if you running the project using dotnet run command prompt for the changes to take effect in the browser. Now you should be able to access any localhost website urls with secure tag.

Rugging answered 13/2, 2023 at 14:58 Comment(0)

J

8

Well this is incredibly stupid. After wasting hours last night and an hour or two tonight of trying fixes I found in blogs and whatnot, an answer on a similar StackOverflow question stated I should attempt repairing my Visual Studio install. Sure enough, doing that resolved the issue.

After I repaired my Visual Studio install and loading up my project I was having HTTPS issues with, I got a dialog box from VS2022 like the one below (snipped from bing.com/images since I dismissed my dialog while trying to fix this) and I selected "Yes".

This added a new certificate but strangely it only added it to the Trusted Root Certification Authorities in certmgr and not to Personal, whereas the one I generated from dotnet dev-certs CLI commands created two; one in Trusted Root Certification Authorities and the other in Personal. The below screenshot shows both certificates; "IIS Express Development Certificate" is the one that resolved the issue and the one that was created by repairing VS2022.

I don't know why VS2022 didn't prompt me to renew the certificate after it was expired. On the bright side, assuming this never gets addressed in a future iteration of Visual Studio, after going through this experience I'm sure that by 10/3/2027 that I'll remember everything that transpired here today and that I must repair my installation of VS20XX if I want to avoid wasting hours of my time due to a localhost SSL certificate expiration.

Jer answered 4/10, 2022 at 2:13 Comment(1)

Repairing the installation, including saying yes to trusting the new development certificate generated in the process, did not fix this for me. – Zymogenesis 1/12, 2022 at 23:13

C

8

This is what I did and it worked for me. At Powershell for VS 2022 command prompt run:

>dotnet dev-certs https --clean
>dotnet dev-certs https --trust

Then click Yes to the prompt.

Claypool answered 11/2, 2024 at 22:36 Comment(0)

C

1

For me the certificate issue was happening ONLY for one project. After different permutation and combination, I found the issue was due to one value in project secret. The following value was found additionally inserted in the project secret.json

{
  "Kestrel:Certificates:Development:Password": "d24802d4-8528-4599-8086-9895359360f8"
}

Remove the above entry from project secret

Issue is not in the password value rather the entry itself is the culprit. Hope this save someone's day.

Clathrate answered 1/2, 2024 at 10:29 Comment(0)

F

1

I just had this one today, and it didn't go away when I cleaned out my dev certificates and trusted a new one, per David Aleu's answer.

Then I tried my localhost site in Edge and there was no problem.

Turned out Chrome needed an update. When I clicked the button to get the latest Chrome things started working normally again.

Fabrianna answered 11/4, 2024 at 15:49 Comment(0)

Remove the above entry from project secret

Recommended topics

Hot tags