12

I only created a .NET Core web application from the VS 2017 template dialog with "Configure for HTTPS" on.

I used 

dotnet dev-certs https --trust

and confirmed the prompt. I checked with the MMC that the localhost certificate exists in CurrentUser/My.

When I now run the application Firefox only shows me (I don't know the exact english translation)

There was an error connecting to https//localhost:44371 PR_CONNECT_RESET_ERROR

Chrome also shows following error,

ERR_CONNECTION_RESET

I also disabled Windows Firewall but the result was the same.

When I unchek Enable SSL in the project debug properties the site displays nicely but without HTTPS.

Any one knows what could be wrong or where in Github I could find the code looking up for the the certificate?

Update 1:

I switched from starting the application from Visual Studio (2017) with IIS Express to Kestrel which brought up the console windows and told me something more:

info: Microsoft.AspNetCore.Server.Kestrel[20]
      Connection id "0HLOLGRVN8U0U" request processing ended abnormally.
System.IO.IOException: The decryption operation failed, see inner exception. ---
> System.ComponentModel.Win32Exception: Beim Verarbeiten des Zertifikats ist ein
 unbekannter Fehler aufgetreten
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStreamInternal.ReadAsyncInternal[TReadAdapter](TRea
dAdapter adapter, Memory`1 buffer)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Adapter.Internal.AdaptedPipeline.
ReadInputAsync(Stream stream)
   at System.IO.Pipelines.PipeCompletion.ThrowLatchedException()
   at System.IO.Pipelines.Pipe.GetReadResult(ReadResult& result)
   at System.IO.Pipelines.Pipe.GetReadAsyncResult()
   at System.IO.Pipelines.Pipe.DefaultPipeReader.GetResult(Int16 token)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.Proces
sRequests[TContext](IHttpApplication`1 application)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.Proces
sRequestsAsync[TContext](IHttpApplication`1 application)

System.ComponentModel.Win32Exception: Beim Verarbeiten des Zertifikats ist ein unbekannter Fehler aufgetreten

is translated

System.ComponentModel.Win32Exception: An unknown error occured while processing the certificate

Under Kestrel Firefox at least brings up the page where I can trust the self signed certificate and the page gets displayed. (but now on different ports 5001 for https and 5000 for http). Chrome does not ask to trust the certificate and just keeps working as expected.

Seems to be a problem with the certificate and/or IIS Express for me.

Found that one though this is kind of a different problem.

monty
  • 5,629
  • 11
  • 44
  • 74
  • i don't think you need to even run the dotnet dev--certs thing. it should just work out of the box. i've never run that and always use https – Jazb Jul 31 '19 at 06:52
  • yes, the dev-certs command is just in case one doesn't have a localhost SSL certificate. Since I deleted them all (cause I am experimenting with certificates) I needed to ensure i have one. – monty Jul 31 '19 at 07:08
  • When you host the site on IIS Express, SSL Diag can reveal typical issues https://docs.jexusmanager.com/tutorials/ssl-diagnostics.html When you host it on Kestrel directly, very likely you need to debug into Kestrel to learn what's wrong. – Lex Li Jul 31 '19 at 13:28
  • did you find any solution? i have the same problem. – user3172616 Mar 02 '20 at 10:36

3 Answers3

4

Two more cases.

First. I have tried all troubleshooting recommendations by Microsoft and nothing helped. Then i repaired IIS Express program, it fixed this problem. enter image description here

Second. If you have Kaspersky antivirus it may not trust self-signed sertificates and block https connections to localhost. You have to make localhost domain to be ignored in the settings at «Settings > Advanced > Network» tab.

user3172616
  • 1,691
  • 1
  • 16
  • 24
  • This is actually listed on the docs: https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#troubleshoot-certificate-problems – elfico May 03 '20 at 01:26
1

In Firefox's about:config have you included port 44371 in the network.security.ports.banned.override setting?

Search for network.security.ports.banned.override. If it doesn't exist, create it with New > String, and define the value as a list of comma-delimited port numbers, e.g.: 80,443,44371.

REF: network.security.ports.banned.override

=== Edit ===

Also in Firefox's about:config are the min/max TLS version options. These can limit how Firefox connects to https:// web sites when they're not serving up an "acceptable" version:

  • security.tls.version.max
    • Default: 3 (up to Firefox version 60)
    • Default: 4 (Firefox version 61 and later).
  • security.tls.version.min
    • Default: 1.

Where:

  • 1 = TLS 1.0
  • 2 = TLS 1.1
  • 3 = TLS 1.2
  • 4 = TLS 1.3 (new in Firefox 61)

REF: security.tls.version.*

You can test which versions of SSL/TLS IIS and IIS Express are capable of serving up by using the OpenSSL command line tool and requiring it to use a single TLS version, e.g.:

  • TLS 1.0: openssl s_client -debug -host 127.0.0.1 -port 44371 -tls1
  • TLS 1.1: openssl s_client -debug -host 127.0.0.1 -port 44371 -tls1_1
  • TLS 1.2: openssl s_client -debug -host 127.0.0.1 -port 44371 -tls1_2
AlwaysLearning
  • 4,396
  • 4
  • 21
  • 28
  • 1
    defined the values, closed and reopened firefox to ensure values are stored but didn't change/fix it. – monty Jul 31 '19 at 07:23
1

I tried the solution with recreating development certificates from @shirhatti https://github.com/dotnet/aspnetcore/issues/26437#issuecomment-723334864. And it solved this issue for me

Andrii
  • 813
  • 9
  • 20