Feature/https linux updates (#23379)

* Mention using sudo -E to get admin permissions but still reference the current user environment * Shell command to directly create the JSON file needed for Firefox * Add some troubleshooting details for Linux, where to find the current user default certificate, and how to check it against the thumbprint of the exported certificate. * Update aspnetcore/security/enforcing-ssl.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Update aspnetcore/security/enforcing-ssl.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Update aspnetcore/security/enforcing-ssl.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Update aspnetcore/security/enforcing-ssl.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Update aspnetcore/security/enforcing-ssl.md Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
2021-11-05 02:07:15 +10:00 · 2021-11-05 02:07:15 +10:00 · b5c6f45089
parent 6906e66339
commit b5c6f45089
1 changed files with 60 additions and 20 deletions
--- a/aspnetcore/security/enforcing-ssl.md
+++ b/aspnetcore/security/enforcing-ssl.md
@ -396,24 +396,32 @@ For more information, see [Setting Up Certificate Authorities (CAs) in Firefox](
 See [this GitHub issue](https://github.com/dotnet/AspNetCore.Docs/issues/6199).
-## Ubuntu trust the certificate for service-to-service communication
+## Trust HTTPS certificate on Linux
 Establishing trust is distribution and browser specific. The following sections provide instructions for some popular distributions and the Chromium browsers (Edge and Chrome) and for Firefox.
 ### Ubuntu trust the certificate for service-to-service communication
 1. Install [OpenSSL](https://www.openssl.org/) 1.1.1h or later. See your distribution for instructions on how to update OpenSSL.
 1. Run the following commands:
    ```cli
-    sudo dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+    dotnet dev-certs https
    sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
    sudo update-ca-certificates
    ```
 The preceding commands:
 * Ensure the current user's developer certificate is created.
 * Exports the certificate with elevated permissions needed for the `ca-certificates` folder, using the current user's environment.
 * Removing the `-E`  flag exports the root user certificate, generating it if necessary. Each newly generated certificate has a different thumbprint. When running as root, `sudo`  and  `-E` are not needed.
 The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
 <a name="ssl-linux"></a>
 ## Trust HTTPS certificate on Linux
 Establishing trust is browser specific. The following sections provide instructions for the Chromium browsers Edge and Chrome and for Firefox.
 ### Trust HTTPS certificate on Linux using Edge or Chrome
 For chromium browsers on Linux:
@ -423,10 +431,11 @@ For chromium browsers on Linux:
  * Export the certificate with the following command:
    ```cli
-    dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+    dotnet dev-certs https
    sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
    ```
-    The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs). **You may need elevated permissions to export the certificate to the `ca-certificates` folder.**
+    The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
  * Run the following commands:
@ -444,24 +453,27 @@ For chromium browsers on Linux:
 * Export the certificate with the following command:
  ```vstscli
-  dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
+  dotnet dev-certs https
  sudo -E dotnet dev-certs https -ep /usr/local/share/ca-certificates/aspnet/https.crt --format PEM
  ```
  The path in the preceding command is specific for Ubuntu. For other distributions, select an appropriate path or use the path for the Certificate Authorities (CAs).
 * Create a JSON file at `/usr/lib/firefox/distribution/policies.json` with the following contents:
-  ```json
+```sh
-  {
+cat <<EOF | sudo tee /usr/lib/firefox/distribution/policies.json
-      "policies": {
+{
-          "Certificates": {
+    "policies": {
-              "Install": [
+        "Certificates": {
-                  "/usr/local/share/ca-certificates/aspnet/https.crt"
+            "Install": [
-              ]
+                "/usr/local/share/ca-certificates/aspnet/https.crt"
-          }
+            ]
-      }
+        }
-  }
+    }
-  ```
+}
 EOF
 ```
 See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this document for an alternative way to configure the policy file using the browser.
@ -554,6 +566,34 @@ Close any browser instances open. Open a new browser window to app.
 See [HTTPS Error using IIS Express (dotnet/AspNetCore #16892)](https://github.com/dotnet/AspNetCore/issues/16892) for troubleshooting certificate issues with Visual Studio.
 ### Linux certificate not trusted
 Check that the certificate being configured for trust is the user HTTPS developer certificate that will be used by the Kestrel server.
 Check the current user default HTTPS developer Kestrel certificate at the following location:
 ```
 ls -la ~/.dotnet/corefx/cryptography/x509stores/my
 ```
 The HTTPS developer Kestrel certificate file is the SHA1 thumbprint. When the file is deleted via `dotnet dev-certs https --clean`, it's regenerated when needed with a different thumbprint.
 Check the thumbprint of the exported certificate matches with the following command:
 ```
 openssl x509 -noout -fingerprint -sha1 -inform pem -in /usr/local/share/ca-certificates/aspnet/https.crt
 ```
 If the certificate doesn't match, it could be one of the following:
 * An old certificate.
 * An exported a developer certificate for the root user. For this case, export the  certificate.
 The root user certificate can be checked at:
 ```
 ls -la /root/.dotnet/corefx/cryptography/x509stores/my
 ```
 ### IIS Express SSL certificate used with Visual Studio
 To fix problems with the IIS Express certificate, select **Repair** from the Visual Studio installer. For more information, see [this GitHub issue](https://github.com/dotnet/aspnetcore/issues/16892).