Add logging if we detect the app host is running with an untrusted dev cert#14666
Open
danegsta wants to merge 33 commits intorelease/13.2from
Open
Add logging if we detect the app host is running with an untrusted dev cert#14666danegsta wants to merge 33 commits intorelease/13.2from
danegsta wants to merge 33 commits intorelease/13.2from
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…il APIs with async/await (#14110)
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14666Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14666" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves diagnosability when Aspire is configured to automatically trust the ASP.NET Core development certificate but the newest dev cert is not actually trusted by the OS trust store, by surfacing an app-host log and a dashboard notification.
Changes:
- Add a dev-certificate trust check during
DcpHoststartup and emit a dashboard notification when the latest dev cert isn’t trusted. - Add cross-platform trust detection helper in
DeveloperCertificateService(Root store check on Windows/Linux;security verify-certon macOS). - Ensure the dashboard resource can be configured with a Kestrel certificate callback when HTTPS endpoints are present, plus add new localized strings and update tests.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Aspire.Hosting.Tests/Dcp/DcpHostNotificationTests.cs | Updates DcpHost construction in tests to pass new dependencies. |
| tests/Aspire.Hosting.Tests/Dashboard/DashboardResourceTests.cs | Adds a test validating the dashboard resource is annotated with an HTTPS/Kestrel certificate callback when using HTTPS. |
| src/Aspire.Hosting/DeveloperCertificateService.cs | Adds certificate trust probing helper and disposes unused cert instances. |
| src/Aspire.Hosting/Dcp/DcpHost.cs | Runs dev-cert trust check at startup and prompts a dashboard notification when trust is missing. |
| src/Aspire.Hosting/Dashboard/DashboardEventHandlers.cs | Adds logic to attach a Kestrel certificate configuration callback when dashboard endpoints include HTTPS. |
| src/Aspire.Hosting/AspireEventSource.cs | Adds EventSource events for dev-cert trust check start/stop. |
| src/Aspire.Hosting/Resources/InteractionStrings.resx | Adds new strings for “development certificate not fully trusted” title/message. |
| src/Aspire.Hosting/Resources/InteractionStrings.Designer.cs | Regenerates strongly-typed resource accessors for the new strings. |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.cs.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.de.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.es.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.fr.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.it.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ja.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ko.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.pl.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.pt-BR.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.ru.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.tr.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.zh-Hans.xlf | Adds new string IDs for translation (state=new). |
| src/Aspire.Hosting/Resources/xlf/InteractionStrings.zh-Hant.xlf | Adds new string IDs for translation (state=new). |
Files not reviewed (1)
- src/Aspire.Hosting/Resources/InteractionStrings.Designer.cs: Language not supported
16 tasks
Contributor
🎬 CLI E2E Test RecordingsThe following terminal recordings are available for commit
📹 Recordings uploaded automatically from CI run #22807550441 |
Member
Author
|
@karolz-ms @joperezr heads up but we'll have to decide how we want to deal with a merge conflict in AspireEventSource.cs between this PR and #14557 |
JamesNK
reviewed
Feb 25, 2026
| public async Task StartAsync(CancellationToken cancellationToken) | ||
| { | ||
| await EnsureDcpContainerRuntimeAsync(cancellationToken).ConfigureAwait(false); | ||
| await EnsureDevelopmentCertificateTrustAsync(cancellationToken).ConfigureAwait(false); |
Member
There was a problem hiding this comment.
Why in the DCP host? Doesn't seem DCP related to me.
What about doing it in an app host event? For example, Seb added detection for whether secrets are disable and you have persistent container in an app host event.
Member
Author
There was a problem hiding this comment.
This was purely because it's the place we're doing existing startup runtime dependency checks (the container health check also lives here). We may be able to decide on a better location, but for now this is a location of convenience.
| /// <inheritdoc /> | ||
| public bool UseForHttps { get; } | ||
|
|
||
| internal static async Task<bool> IsCertificateTrustedAsync(IFileSystemService fileSystemService, X509Certificate2 certificate, CancellationToken cancellationToken = default) |
Member
There was a problem hiding this comment.
Someone else will have to review this. I'm not an expert in this area.
Member
Author
There was a problem hiding this comment.
This was reviewed in the previous version of the PR that stalled out due to a test issue that's now fixed. I re-opened because the old one was targeting main instead of release/13.2.
This was referenced Feb 25, 2026
This was referenced Mar 5, 2026
davidfowl
reviewed
Mar 7, 2026
Co-authored-by: Damian Edwards <damian@damianedwards.com>
Member
Author
|
@copilot update other strings in the PR that reference running |
16 tasks
Contributor
…v cert (#15042) * Initial plan * Replace dotnet dev-certs command references with aka.ms/aspire/devcerts link Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
Member
Author
|
@copilot there's a failing test that's looking for outdated strings after the latest changes. |
Contributor
16 tasks
…/devcerts (#15043) * Initial plan * Fix failing test that was checking for outdated string content after log message update Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
davidfowl
reviewed
Mar 8, 2026
Comment on lines
+187
to
+198
| <data name="DeveloperCertificateNotFullyTrustedTitle" xml:space="preserve"> | ||
| <value>Development certificate not fully trusted</value> | ||
| </data> | ||
| <data name="DeveloperCertificateNotFullyTrustedMessage" xml:space="preserve"> | ||
| <value>The most recent ASP.NET Core Development Certificate isn't fully trusted. See https://aka.ms/aspire/devcerts for more information.</value> | ||
| </data> | ||
| <data name="NoDeveloperCertificateTrustedTitle" xml:space="preserve"> | ||
| <value>No trusted development certificate</value> | ||
| </data> | ||
| <data name="NoDeveloperCertificateTrustedMessage" xml:space="preserve"> | ||
| <value>No trusted ASP.NET Core Development Certificate was found. See https://aka.ms/aspire/devcerts for more information.</value> | ||
| </data> |
Member
There was a problem hiding this comment.
WE gotta fix all of these string.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
It's possible, particularly after .NET SDK updates, to end up in a situation where there's a newer dev cert added to the
CurrentUser/Mycert store (which is the source of dev certs for TLS termination), but not to theCurrentUser/Rootcert store which is where trusted certificates are pulled from. This can lead to a situation where services try to terminate HTTPS endpoints with an updated dev cert, but nothing actually trusts the new certificate. Diagnosing the issue is confusing and can require checking the logs for individual services.This adds an explicit error level log if automatic dev cert trust is enabled and the latest certificate isn't in the trusted root store.
This replaces #13943 in targeting release/13.2.
Checklist
<remarks />and<code />elements on your triple slash comments?doc-ideatemplatebreaking-changetemplatediagnostictemplate