From b5c6f45089fda9a3fce0e7af790b757fc1e1f370 Mon Sep 17 00:00:00 2001
From: Sly Gryphon <sgryphon@computer.org>
Date: Fri, 5 Nov 2021 02:07:15 +1000
Subject: [PATCH] Feature/https linux updates (#23379)

* Mention using sudo -E to get admin permissions but still reference the current user environment

* Shell command to directly create the JSON file needed for Firefox

* Add some troubleshooting details for Linux, where to find the current user default certificate, and how to check it against the thumbprint of the exported certificate.

* Update aspnetcore/security/enforcing-ssl.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Update aspnetcore/security/enforcing-ssl.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Update aspnetcore/security/enforcing-ssl.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Update aspnetcore/security/enforcing-ssl.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Update aspnetcore/security/enforcing-ssl.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
---
 aspnetcore/security/enforcing-ssl.md | 80 +++++++++++++++++++++-------
 1 file changed, 60 insertions(+), 20 deletions(-)

diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md
index 3e9e60308e..041f1c7dae 100644
--- a/aspnetcore/security/enforcing-ssl.md
+++ b/aspnetcore/security/enforcing-ssl.md
@@ -396,24 +396,32 @@ For more information, see [Setting Up Certificate Authorities (CAs) in Firefox](
 
 See [this GitHub issue](https://github.com/dotnet/AspNetCore.Docs/issues/6199).
 
-## Ubuntu trust the certificate for service-to-service communication
+## Trust HTTPS certificate on Linux
+
+Establishing trust is distribution and browser specific. The following sections provide instructions for some popular distributions and the Chromium browsers (Edge and Chrome) and for Firefox.
+
+### Ubuntu trust the certificate for service-to-service communication
 
 1. Install [OpenSSL](https://www.openssl.org/) 1.1.1h or later. See your distribution for instructions on how to update OpenSSL.
 1. Run the following commands:
 
     ```cli
-    sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+    dotnet dev-certs https
+    sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
     sudo update-ca-certificates
     ```
 
+The preceding commands:
+
+* Ensure the current user's developer certificate is created.
+* Exports the certificate with elevated permissions needed for the `ca-certificates` folder, using the current user's environment.
+* Removing the `-E`  flag exports the root user certificate, generating it if necessary. Each newly generated certificate has a different thumbprint. When running as root, `sudo`  and  `-E` are not needed.
+
+
 The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
 
 <a name="ssl-linux"></a>
 
-## Trust HTTPS certificate on Linux
-
-Establishing trust is browser specific. The following sections provide instructions for the Chromium browsers Edge and Chrome and for Firefox.
-
 ### Trust HTTPS certificate on Linux using Edge or Chrome
 
 For chromium browsers on Linux:
@@ -423,10 +431,11 @@ For chromium browsers on Linux:
   * Export the certificate with the following command:
   
     ```cli
-    dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+    dotnet dev-certs https
+    sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
     ```
 
-    The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs). **You may need elevated permissions to export the certificate to the `ca-certificates` folder.**
+    The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
 
   * Run the following commands:
   
@@ -444,24 +453,27 @@ For chromium browsers on Linux:
 * Export the certificate with the following command:
 
   ```vstscli
-  dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+  dotnet dev-certs https
+  sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
   ```
 
   The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
 
 * Create a JSON file at `/usr/lib/firefox/distribution/policies.json` with the following contents:
 
-  ```json
-  {
-      "policies": {
-          "Certificates": {
-              "Install": [
-                  "/usr/local/share/ca-certificates/aspnet/https.crt"
-              ]
-          }
-      }
-  }
-  ```
+```sh
+cat <<EOF | sudo tee /usr/lib/firefox/distribution/policies.json
+{
+    "policies": {
+        "Certificates": {
+            "Install": [
+                "/usr/local/share/ca-certificates/aspnet/https.crt"
+            ]
+        }
+    }
+}
+EOF
+```
   
 See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this document for an alternative way to configure the policy file using the browser.
 
@@ -554,6 +566,34 @@ Close any browser instances open. Open a new browser window to app.
 
 See [HTTPS Error using IIS Express (dotnet/AspNetCore #16892)](https://github.com/dotnet/AspNetCore/issues/16892) for troubleshooting certificate issues with Visual Studio.
 
+### Linux certificate not trusted
+
+Check that the certificate being configured for trust is the user HTTPS developer certificate that will be used by the Kestrel server.
+
+Check the current user default HTTPS developer Kestrel certificate at the following location:
+
+```
+ls -la ~/.dotnet/corefx/cryptography/x509stores/my
+```
+
+The HTTPS developer Kestrel certificate file is the SHA1 thumbprint. When the file is deleted via `dotnet dev-certs https --clean`, it's regenerated when needed with a different thumbprint.
+Check the thumbprint of the exported certificate matches with the following command:
+
+```
+openssl x509 -noout -fingerprint -sha1 -inform pem -in /usr/local/share/ca-certificates/aspnet/https.crt
+```
+
+If the certificate doesn't match, it could be one of the following:
+
+* An old certificate.
+* An exported a developer certificate for the root user. For this case, export the  certificate.
+
+The root user certificate can be checked at:
+
+```
+ls -la /root/.dotnet/corefx/cryptography/x509stores/my
+```
+
 ### IIS Express SSL certificate used with Visual Studio
 
 To fix problems with the IIS Express certificate, select **Repair** from the Visual Studio installer. For more information, see [this GitHub issue](https://github.com/dotnet/aspnetcore/issues/16892).