Add logging if we detect the app host is running with an untrusted dev cert#15042
Merged
danegsta merged 2 commits intodanegsta/trustLogfrom Mar 7, 2026
Merged
Add logging if we detect the app host is running with an untrusted dev cert#15042danegsta merged 2 commits intodanegsta/trustLogfrom
danegsta merged 2 commits intodanegsta/trustLogfrom
Conversation
16 tasks
…ts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add logging for untrusted dev certificate detection
Add logging if we detect the app host is running with an untrusted dev cert
Mar 7, 2026
danegsta
added a commit
that referenced
this pull request
Mar 9, 2026
…v cert (#14666) * Add logging if we detect the app host is running with an untrusted dev cert * Allow overriding the dev cert used by the dashboard * Also notify the dashboard if the certificate isn't trusted * Update src/Aspire.Hosting/DeveloperCertificateService.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Move forward unlocking the macos keychain and trust the cert * Update trust check to handle MacOS * Add link to dev-certs code * Cleanup some of the exceptions * Trusting on Mac isn't going to be an option; switch to a warning in logs * Use resource strings, move check and logging to DcpHost setup * Update how HTTPS check is determined * Use the file system service to get a temp folder * Refactor DeveloperCertificateService to use ProcessSpec and ProcessUtil APIs with async/await (#14110) * Update test service mocks * Guard against the interaction service not being available * Fix merge issue in DashboardEventHandlers * Fix developer cert service timeout on Mac CI * Only skip interaction service prompt if service not available * Add additional test * Fix failing test * Disable dev cert https in mac ci tests * Revert unrequired macos timeout change * Add comments explaining the dashboard certificate config * Only warn if there's an HTTPS/TLS endpoint * Cleanup how we determine certificate trust to a cross-platform approach * Expose interface property such that it can be used in tests * Add chain build that got removed * Check if cert is in root store on Windows * Fix check that wasn't properly detecting the lack of trusted certificates * Update src/Aspire.Hosting/Dcp/DcpHost.cs Co-authored-by: Damian Edwards <damian@damianedwards.com> * Add logging if we detect the app host is running with an untrusted dev cert (#15042) * Initial plan * Replace dotnet dev-certs command references with aka.ms/aspire/devcerts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Fix failing test after log message updated to reference aka.ms/aspire/devcerts (#15043) * Initial plan * Fix failing test that was checking for outdated string content after log message update Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Replace "ASP.NET Core Development Certificate" with "development certificate" in user-facing strings (#15048) * Initial plan * Replace "ASP.NET Core Development Certificate" with "development certificate" in strings Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Damian Edwards <damian@damianedwards.com>
Copilot AI
added a commit
that referenced
this pull request
Mar 10, 2026
…v cert (#14666) * Add logging if we detect the app host is running with an untrusted dev cert * Allow overriding the dev cert used by the dashboard * Also notify the dashboard if the certificate isn't trusted * Update src/Aspire.Hosting/DeveloperCertificateService.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Move forward unlocking the macos keychain and trust the cert * Update trust check to handle MacOS * Add link to dev-certs code * Cleanup some of the exceptions * Trusting on Mac isn't going to be an option; switch to a warning in logs * Use resource strings, move check and logging to DcpHost setup * Update how HTTPS check is determined * Use the file system service to get a temp folder * Refactor DeveloperCertificateService to use ProcessSpec and ProcessUtil APIs with async/await (#14110) * Update test service mocks * Guard against the interaction service not being available * Fix merge issue in DashboardEventHandlers * Fix developer cert service timeout on Mac CI * Only skip interaction service prompt if service not available * Add additional test * Fix failing test * Disable dev cert https in mac ci tests * Revert unrequired macos timeout change * Add comments explaining the dashboard certificate config * Only warn if there's an HTTPS/TLS endpoint * Cleanup how we determine certificate trust to a cross-platform approach * Expose interface property such that it can be used in tests * Add chain build that got removed * Check if cert is in root store on Windows * Fix check that wasn't properly detecting the lack of trusted certificates * Update src/Aspire.Hosting/Dcp/DcpHost.cs Co-authored-by: Damian Edwards <damian@damianedwards.com> * Add logging if we detect the app host is running with an untrusted dev cert (#15042) * Initial plan * Replace dotnet dev-certs command references with aka.ms/aspire/devcerts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Fix failing test after log message updated to reference aka.ms/aspire/devcerts (#15043) * Initial plan * Fix failing test that was checking for outdated string content after log message update Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> * Replace "ASP.NET Core Development Certificate" with "development certificate" in user-facing strings (#15048) * Initial plan * Replace "ASP.NET Core Development Certificate" with "development certificate" in strings Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Damian Edwards <damian@damianedwards.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When automatic dev cert trust is enabled but the newest dev cert isn't in the trusted root store, Aspire now emits explicit log warnings and dashboard notifications to surface the issue. This replaces confusing per-service TLS errors with a clear actionable message pointing to https://aka.ms/aspire/devcerts.
Changes:
DcpHost.cs: During startup, checks for HTTPS/TLS usage before probing cert trust state. EmitsLogWarningand sends a dashboard notification (when available) if no trusted certs exist or the latest cert is untrusted. Log messages and dashboard messages now referencehttps://aka.ms/aspire/devcertsinstead ofdotnet dev-certscommands.DeveloperCertificateService: Cross-platform trust detection viaX509Chainbuilding. ExposesCertificates(trusted only) andLatestCertificateIsUntrustedto distinguish between "no trusted cert" and "newer untrusted cert present" scenarios.DashboardEventHandlers: Configures the dashboard Kestrel instance and the app host gRPC service with a certificate callback that uses a verified dev cert rather than the default Kestrel cert resolution.InteractionStrings.resx+ all.xlffiles: Messages updated to dropdotnet dev-certs https --trustcommand references in favor ofSee https://aka.ms/aspire/devcerts for more information.Checklist
<remarks />and<code />elements on your triple slash comments?aspire.devissue:🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.