Skip to content

Add logging if we detect the app host is running with an untrusted dev cert#15042

Merged
danegsta merged 2 commits intodanegsta/trustLogfrom
copilot/sub-pr-14666
Mar 7, 2026
Merged

Add logging if we detect the app host is running with an untrusted dev cert#15042
danegsta merged 2 commits intodanegsta/trustLogfrom
copilot/sub-pr-14666

Conversation

Copy link
Contributor

Copilot AI commented Mar 7, 2026
edited
Loading

Description

When automatic dev cert trust is enabled but the newest dev cert isn't in the trusted root store, Aspire now emits explicit log warnings and dashboard notifications to surface the issue. This replaces confusing per-service TLS errors with a clear actionable message pointing to https://aka.ms/aspire/devcerts.

Changes:

  • DcpHost.cs: During startup, checks for HTTPS/TLS usage before probing cert trust state. Emits LogWarning and sends a dashboard notification (when available) if no trusted certs exist or the latest cert is untrusted. Log messages and dashboard messages now reference https://aka.ms/aspire/devcerts instead of dotnet dev-certs commands.
  • DeveloperCertificateService: Cross-platform trust detection via X509Chain building. Exposes Certificates (trusted only) and LatestCertificateIsUntrusted to distinguish between "no trusted cert" and "newer untrusted cert present" scenarios.
  • DashboardEventHandlers: Configures the dashboard Kestrel instance and the app host gRPC service with a certificate callback that uses a verified dev cert rather than the default Kestrel cert resolution.
  • InteractionStrings.resx + all .xlf files: Messages updated to drop dotnet dev-certs https --trust command references in favor of See https://aka.ms/aspire/devcerts for more information.

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No
    • No
  • Does the change require an update in our Aspire docs?

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI mentioned this pull request Mar 7, 2026
Open
16 tasks
@danegsta
Replace dotnet dev-certs command references with aka.ms/aspire/devcer…
08c7da1 
…ts link

Co-authored-by: danegsta <50252651+danegsta@users.noreply.github.com>
Copilot AI changed the title [WIP] Add logging for untrusted dev certificate detection Add logging if we detect the app host is running with an untrusted dev cert Mar 7, 2026
@danegsta danegsta marked this pull request as ready for review March 7, 2026 21:06
@danegsta danegsta merged commit 12754bc into danegsta/trustLog Mar 7, 2026
3 of 4 checks passed
@danegsta danegsta deleted the copilot/sub-pr-14666 branch March 7, 2026 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@danegsta danegsta

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danegsta