Add logging if we detect the app host is running with an untrusted dev cert#14666
Merged
danegsta merged 34 commits intorelease/13.2from Mar 9, 2026
Merged
Add logging if we detect the app host is running with an untrusted dev cert#14666danegsta merged 34 commits intorelease/13.2from
danegsta merged 34 commits intorelease/13.2from
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…il APIs with async/await (#14110)
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14666Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14666" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves diagnosability when Aspire is configured to automatically trust the ASP.NET Core development certificate but the newest dev cert is not actually trusted by the OS trust store, by surfacing an app-host log and a dashboard notification.
Changes:
- Add a dev-certificate trust check during
DcpHoststartup and emit a dashboard notification when the latest dev cert isn’t trusted. - Add cross-platform trust detection helper in
DeveloperCertificateService(Root store check on Windows/Linux;security verify-certon macOS). - Ensure the dashboard resource can be configured with a Kestrel certificate callback when HTTPS endpoints are present, plus add new localized strings and update tests.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Aspire.Hosting.Tests/Dcp/DcpHostNotificationTests.cs | Updates DcpHost construction in tests to pass new dependencies. |
| tests/Aspire.Hosting.Tests/Dashboard/DashboardResourceTests.cs | Adds a test validating the dashboard resource is annotated with an HTTPS/Kestrel certificate callback when using HTTPS. |
| src/Aspire.Hosting/DeveloperCertificateService.cs | Adds certificate trust probing helper and disposes unused cert instances. |
| src/Aspire.Hosting/Dcp/DcpHost.cs | Runs dev-cert trust check at startup and prompts a dashboard notification when trust is missing. |
| src/Aspire.Hosting/Dashboard/DashboardEventHandlers.cs | Adds logic to attach a Kestrel certificate configuration callback when dashboard endpoints include HTTPS. |
| src/Aspire.Hosting/AspireEventSource.cs | Adds EventSource events for dev-cert trust check start/stop. |
| src/Aspire.Hosting/Resources/InteractionStrings.resx | Adds new strings for “development certificate not fully trusted” title/message. |
| src/Aspire.Hosting/Resources/InteractionStrings.Designer.cs | Regenerates strongly-typed resource accessors for the new strings. |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.cs.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.de.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.es.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.fr.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.it.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ja.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ko.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.pl.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.pt-BR.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ru.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.tr.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.zh-Hans.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.zh-Hant.xlf | Adds new string IDs for translation (state=new). |
Files not reviewed (1)
- src/Aspire.Hosting/Resources/InteractionStrings.Designer.cs: Language not supported
16 tasks
Contributor
🎬 CLI E2E Test RecordingsThe following terminal recordings are available for commit
📹 Recordings uploaded automatically from CI run #22814938132 |
Member
Author
|
@karolz-ms @joperezr heads up but we'll have to decide how we want to deal with a merge conflict in AspireEventSource.cs between this PR and #14557 |
JamesNK
reviewed
Feb 25, 2026
| public async Task StartAsync(CancellationToken cancellationToken) | ||
| { | ||
| await EnsureDcpContainerRuntimeAsync(cancellationToken).ConfigureAwait(false); | ||
| await EnsureDevelopmentCertificateTrustAsync(cancellationToken).ConfigureAwait(false); |
Member
There was a problem hiding this comment.
Why in the DCP host? Doesn't seem DCP related to me.
What about doing it in an app host event? For example, Seb added detection for whether secrets are disable and you have persistent container in an app host event.
Member
Author
There was a problem hiding this comment.
This was purely because it's the place we're doing existing startup runtime dependency checks (the container health check also lives here). We may be able to decide on a better location, but for now this is a location of convenience.
| /// <inheritdoc /> | ||
| public bool UseForHttps { get; } | ||
|
|
||
| internal static async Task<bool> IsCertificateTrustedAsync(IFileSystemService fileSystemService, X509Certificate2 certificate, CancellationToken cancellationToken = default) |
Member
There was a problem hiding this comment.
Someone else will have to review this. I'm not an expert in this area.
Member
Author
There was a problem hiding this comment.
This was reviewed in the previous version of the PR that stalled out due to a test issue that's now fixed. I re-opened because the old one was targeting main instead of release/13.2.
This was referenced Mar 5, 2026
davidfowl
reviewed
Mar 7, 2026
Co-authored-by: Damian Edwards <damian@damianedwards.com>
Member
Author
|
@copilot update other strings in the PR that reference running |
16 tasks
Contributor
…v cert (#15042) * Initial plan * Replace dotnet dev-certs command references with aka.ms/aspire/devcerts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
Member
Author
|
@copilot there's a failing test that's looking for outdated strings after the latest changes. |
Contributor
16 tasks
…/devcerts (#15043) * Initial plan * Fix failing test that was checking for outdated string content after log message update Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
davidfowl
reviewed
Mar 8, 2026
16 tasks
Contributor
…ificate" in user-facing strings (#15048) * Initial plan * Replace "ASP.NET Core Development Certificate" with "development certificate" in strings Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
karolz-ms
approved these changes
Mar 9, 2026
Copilot AI
added a commit
that referenced
this pull request
Mar 10, 2026
…v cert (#14666) * Add logging if we detect the app host is running with an untrusted dev cert * Allow overriding the dev cert used by the dashboard * Also notify the dashboard if the certificate isn't trusted * Update src/Aspire.Hosting/DeveloperCertificateService.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Move forward unlocking the macos keychain and trust the cert * Update trust check to handle MacOS * Add link to dev-certs code * Cleanup some of the exceptions * Trusting on Mac isn't going to be an option; switch to a warning in logs * Use resource strings, move check and logging to DcpHost setup * Update how HTTPS check is determined * Use the file system service to get a temp folder * Refactor DeveloperCertificateService to use ProcessSpec and ProcessUtil APIs with async/await (#14110) * Update test service mocks * Guard against the interaction service not being available * Fix merge issue in DashboardEventHandlers * Fix developer cert service timeout on Mac CI * Only skip interaction service prompt if service not available * Add additional test * Fix failing test * Disable dev cert https in mac ci tests * Revert unrequired macos timeout change * Add comments explaining the dashboard certificate config * Only warn if there's an HTTPS/TLS endpoint * Cleanup how we determine certificate trust to a cross-platform approach * Expose interface property such that it can be used in tests * Add chain build that got removed * Check if cert is in root store on Windows * Fix check that wasn't properly detecting the lack of trusted certificates * Update src/Aspire.Hosting/Dcp/DcpHost.cs Co-authored-by: Damian Edwards <damian@damianedwards.com> * Add logging if we detect the app host is running with an untrusted dev cert (#15042) * Initial plan * Replace dotnet dev-certs command references with aka.ms/aspire/devcerts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Fix failing test after log message updated to reference aka.ms/aspire/devcerts (#15043) * Initial plan * Fix failing test that was checking for outdated string content after log message update Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Replace "ASP.NET Core Development Certificate" with "development certificate" in user-facing strings (#15048) * Initial plan * Replace "ASP.NET Core Development Certificate" with "development certificate" in strings Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Damian Edwards <damian@damianedwards.com>
1 task
16 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
It's possible, particularly after .NET SDK updates, to end up in a situation where there's a newer dev cert added to the
CurrentUser/Mycert store (which is the source of dev certs for TLS termination), but not to theCurrentUser/Rootcert store which is where trusted certificates are pulled from. This can lead to a situation where services try to terminate HTTPS endpoints with an updated dev cert, but nothing actually trusts the new certificate. Diagnosing the issue is confusing and can require checking the logs for individual services.This adds an explicit error level log if automatic dev cert trust is enabled and the latest certificate isn't in the trusted root store.
This replaces #13943 in targeting release/13.2.
Checklist
<remarks />and<code />elements on your triple slash comments?doc-ideatemplatebreaking-changetemplatediagnostictemplate