Skip to content

[✨ Triage] dotnet/runtime#121086 by drauch - Ubuntu 24.04 HttpClient doesn't recognize Dev Cert #1594

Closed
Closed
[✨ Triage] dotnet/runtime#121086 by drauch - Ubuntu 24.04 HttpClient doesn't recognize Dev Cert#1594
@MihuBot

Description

@MihuBot
MihuBot
opened on Oct 25, 2025

Triage for dotnet/runtime#121086.
Repo filter: All networking issues.
MihuBot version: 87d9df.
Ping MihaZupan for any issues.

This is a test triage report generated by AI, aimed at helping the triage team quickly identify past issues/PRs that may be related.
Take any conclusions with a large grain of salt.

Tool logs 
dotnet/runtime#121086: Ubuntu 24.04 HttpClient doesn't recognize Dev Cert by drauch
[Tool] Searching for HttpClient certificate UntrustedRoot Ubuntu, dotnet dev-certs https Ubuntu, HttpClient SSL certificate chain errors, Ubuntu 24.04 HttpClient certificate trust, dotnet dev-certs https --trust not working (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=False, Repository=dotnet/runtime)
[Tool] Found 74 issues, 355 comments, 40 returned results (10976 ms)

Here are the most relevant related issues and discussions for issue #121086 ("Ubuntu 24.04 HttpClient doesn't recognize Dev Cert"):

1. Issue #3505 (January 2020) - "What is the equivalent of the Trusted Root Certification Authority on Linux"

  • Summary: This issue discusses how to trust a self-signed certificate for use with HttpClient on Linux (specifically Ubuntu 18.04). The main advice is to copy the certificate (in PEM format, with a .crt extension) to /usr/local/share/ca-certificates and then run update-ca-certificates. This should make the certificate trusted by the system and, by extension, by .NET's HttpClient. However, several users report that even after following these steps, .NET may still not trust the certificate, while other tools (curl, browsers) do.
  • Key points:
    • .NET on Linux relies on the system's CA store, but also enforces stricter checks (e.g., EKU for server authentication).
    • The certificate must be valid for TLS server usage.
    • If issues persist, check for hostname mismatches or missing EKU.
    • There are edge cases where .NET's stricter validation causes failures even when other tools succeed.

2. Issue #30242 (July 2019) - "DangerousAcceptAnyServerCertificateValidator delegated not working on Ubuntu 18.04"

  • Summary: This issue discusses problems with self-signed certificates and custom validation callbacks on Ubuntu. The root cause is often that Linux (OpenSSL) requires additional X509v3 fields (like "Cert signing" in KeyUsage) for self-signed certs, which Windows does not. Installing the root certificate in /usr/local/share/ca-certificates and running update-ca-certificates typically resolves the issue.
  • Key points:
    • Certificates generated on Windows may lack fields required by OpenSSL.
    • Installing the root CA in the system store is necessary for trust.
    • The error "The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot" is common if the root CA is not trusted.

3. Issue #38730 (July 2020) - "AuthenticationException on some Linux distros and root cert setups starting 3.0"

  • Summary: This issue documents a breaking change in .NET Core 3.0+ regarding how root certificates are loaded and trusted on Linux. Some distros (e.g., SLES) store root certs in formats or locations that .NET does not recognize, causing trust failures in .NET even when other tools work.
  • Key points:
    • .NET Core 3.0+ changed how it loads root CAs, which can cause trust issues.
    • The workaround is to ensure the root CA is in a location and format .NET expects (e.g., /etc/ssl/certs with BEGIN CERTIFICATE).
    • .NET may not trust certs in "BEGIN TRUSTED CERTIFICATE" format.

4. Issue #28914 (March 2019) - "SSL Certificate validation error on Yocto"

  • Summary: This issue discusses a scenario where .NET fails to build a certificate chain unless SSL_CERT_FILE is set to point to the correct CA bundle. The default system configuration may not be compatible with .NET's expectations.
  • Key points:
    • Setting SSL_CERT_FILE to the correct CA bundle can resolve trust issues.
    • .NET's behavior may differ from other tools due to how it locates and parses CA certificates.

5. Issue #26102 (May 2018) - "Trusted People certificate store behavior change with .NET core 2.1 (no longer allows untrusted roots)"

  • Summary: Discusses changes in .NET Core 2.1+ regarding how trusted roots are handled, especially on Windows, but also touches on differences in trust behavior between platforms.

6. Issue #29653 (May 2019) - "HttpClient with client certificate fails with OpenSslCryptographicException on Linux"

  • Summary: This issue discusses problems with client certificates and incomplete certificate chains on Linux. The main takeaway is that .NET on Linux may not send the full chain unless all intermediates are installed in the system CA store.

7. Issue #25092 (February 2018) - "Using Trusted Root Certification Authorities for server certificate validation in HttpClient"

  • Summary: Discusses the process of trusting a self-signed certificate in Windows and the importance of using the correct certificate store and ensuring the certificate is valid for the intended usage.

8. Issue #81456 (February 2023) - "Incomplete chain of mutual TLS client cert downloaded twice per http call when run as non-root linux user"

  • Summary: This issue is about .NET's behavior with client certificates and intermediate CA caching, but also contains discussion about CA trust and storage on Linux, including permissions issues with the user CA store.

Key Takeaways and Recommendations

  • For .NET on Ubuntu (and Linux in general):

    • The developer certificate (or its root CA) must be installed in /usr/local/share/ca-certificates (or /etc/ssl/certs), and sudo update-ca-certificates must be run.
    • The certificate must be valid for server authentication (check EKU).
    • If using a self-signed certificate, ensure it has the correct KeyUsage and ExtendedKeyUsage fields.
    • .NET may enforce stricter validation than browsers or curl.
    • If the certificate is still not trusted, check for hostname mismatches and inspect the full certificate chain.
    • Setting SSL_CERT_FILE to the correct CA bundle may help in some environments.

  • Common pitfalls:

    • Copying the certificate to the CA directory but not running update-ca-certificates.
    • Using a certificate without the correct EKU for server authentication.
    • Expecting .NET to trust a certificate just because browsers or curl do.

  • Workarounds:

    • Use a custom HttpClientHandler.ServerCertificateCustomValidationCallback to bypass validation (not recommended for production).
    • Ensure all intermediates are present in the system CA store if using a chain.

No Direct Duplicates

There are no issues that are direct duplicates of #121086 for Ubuntu 24.04 and .NET 9, but the above issues cover the same class of problems and provide relevant troubleshooting steps and explanations.

If you need more details from any specific issue or want to see the full comment history, let me know!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions