Skip to content

Ensure SSL_CERT_DIR messages are always shown and check for existing value #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomerqodo wants to merge 6 commits into
base: qodo_claude_vs_qodo_base_ensure_ssl_cert_dir_messages_are_always_shown_and_check_for_existing_value_pr3
Choose a base branch
from
+71 −10
Open

Ensure SSL_CERT_DIR messages are always shown and check for existing value #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fade7c7
Improve the SSL_CERT_DIR messaging on Unix systems.
danegsta Jan 7, 2026
60be2ab
Use critical for log level filter
danegsta Jan 7, 2026
9fd206b
Update src/Shared/CertificateGeneration/UnixCertificateManager.cs
danegsta Jan 7, 2026
35584d7
Update src/Shared/CertificateGeneration/CertificateManager.cs
danegsta Jan 7, 2026
c8ce09d
Treat invalid SSL_CERT_DIR as a partial success during trust
danegsta Jan 8, 2026
07d6e09
update pr
tomerqodo Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions src/Shared/CertificateGeneration/CertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,9 +966,6 @@ internal static bool TryFindCertificateInStore(X509Store store, X509Certificate2
return foundCertificate is not null;
}

/// <remarks>
/// Note that dotnet-dev-certs won't display any of these, regardless of level, unless --verbose is passed.
/// </remarks>
[EventSource(Name = "Dotnet-dev-certs")]
public sealed class CertificateManagerEventSource : EventSource
{
Expand Down Expand Up @@ -1303,7 +1300,7 @@ public sealed class CertificateManagerEventSource : EventSource
internal void UnixNotOverwritingCertificate(string certPath) => WriteEvent(109, certPath);

[Event(110, Level = EventLevel.LogAlways, Message = "For OpenSSL trust to take effect, '{0}' must be listed in the {2} environment variable. " +
"For example, `export SSL_CERT_DIR={0}:{1}`. " +
"For example, `export {2}=\"{0}:{1}\"`. " +
"See https://aka.ms/dev-certs-trust for more information.")]
internal void UnixSuggestSettingEnvironmentVariable(string certDir, string openSslDir, string envVarName) => WriteEvent(110, certDir, openSslDir, envVarName);

Expand All @@ -1313,6 +1310,14 @@ public sealed class CertificateManagerEventSource : EventSource

[Event(112, Level = EventLevel.Warning, Message = "Directory '{0}' may be readable by other users.")]
internal void DirectoryPermissionsNotSecure(string directoryPath) => WriteEvent(112, directoryPath);

[Event(113, Level = EventLevel.Verbose, Message = "The certificate directory '{0}' is already included in the {1} environment variable.")]
internal void UnixOpenSslCertificateDirectoryAlreadyConfigured(string certDir, string envVarName) => WriteEvent(113, certDir, envVarName);

[Event(114, Level = EventLevel.LogAlways, Message = "For OpenSSL trust to take effect, '{0}' must be listed in the {1} environment variable. " +
"For example, `export {1}=\"{0}:${1}\"`. " +
"See https://aka.ms/dev-certs-trust for more information.")]
internal void UnixSuggestAppendingToEnvironmentVariable(string certDir, string envVarName) => WriteEvent(114, certDir, envVarName);
}

internal sealed class UserCancelledTrustException : Exception
Expand Down
60 changes: 56 additions & 4 deletions src/Shared/CertificateGeneration/UnixCertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -355,14 +355,57 @@ protected override TrustLevel TrustCertificateCore(X509Certificate2 certificate)
? Path.Combine("$HOME", certDir[homeDirectoryWithSlash.Length..])
: certDir;

if (TryGetOpenSslDirectory(out var openSslDir))
var hasValidSslCertDir = false;

// Check if SSL_CERT_DIR is already set and if certDir is already included
var existingSslCertDir = Environment.GetEnvironmentVariable(OpenSslCertificateDirectoryVariableName);
if (!string.IsNullOrEmpty(existingSslCertDir))
{
var existingDirs = existingSslCertDir.Split(Path.PathSeparator);
var certDirFullPath = Path.GetFullPath(prettyCertDir);
var isCertDirIncluded = existingDirs.Any(dir =>
{
if (string.IsNullOrWhiteSpace(dir))
{
return false;
}

try
{
return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase);
}
Comment on lines 355 to +376
Copy link
Copy Markdown

@qodo-code-review qodo-code-review Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Ssl_cert_dir path mismatch 🐞 Bug ✓ Correctness

UnixCertificateManager compares SSL_CERT_DIR entries against Path.GetFullPath(prettyCertDir), but
prettyCertDir may contain the literal "$HOME", so a correctly-configured SSL_CERT_DIR using an
absolute path won’t match and trust is incorrectly treated as partial/failing. It also uses
OrdinalIgnoreCase on Unix paths, which can wrongly treat different directories as the same on
case-sensitive filesystems.
Agent Prompt 
### Issue description
Unix SSL_CERT_DIR detection uses a display-only path (prettyCertDir, which may include the literal `$HOME`) for Path.GetFullPath comparisons and uses OrdinalIgnoreCase on Unix, causing false negatives/positives when deciding whether SSL_CERT_DIR already includes the cert directory.

### Issue Context
This logic controls whether the tool reports trust as partial vs full and what guidance it prints.

### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[354-390]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

catch
{
// Ignore invalid directory entries in SSL_CERT_DIR
return false;
}
});

if (isCertDirIncluded)
{
// The certificate directory is already in SSL_CERT_DIR, no action needed
Log.UnixOpenSslCertificateDirectoryAlreadyConfigured(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = true;
}
else
{
// SSL_CERT_DIR is set but doesn't include our directory - suggest appending
Log.UnixSuggestAppendingToEnvironmentVariable(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}
}
else if (TryGetOpenSslDirectory(out var openSslDir))
{
Log.UnixSuggestSettingEnvironmentVariable(prettyCertDir, Path.Combine(openSslDir, "certs"), OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}
else
{
Log.UnixSuggestSettingEnvironmentVariableWithoutExample(prettyCertDir, OpenSslCertificateDirectoryVariableName);
hasValidSslCertDir = false;
}

sawTrustFailure = !hasValidSslCertDir;
}
Comment on lines +408 to 409
Copy link
Copy Markdown

@qodo-code-review qodo-code-review Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Trust failures overwritten 🐞 Bug ✓ Correctness

TrustCertificateCore overwrites sawTrustFailure with !hasValidSslCertDir, which can clear earlier
failures (e.g., NSS DB trust failures) and incorrectly return TrustLevel.Full. This makes the tool
report success even when some trust steps already failed.
Agent Prompt 
### Issue description
The new SSL_CERT_DIR validation overwrites `sawTrustFailure`, masking failures from earlier trust steps and allowing an incorrect `TrustLevel.Full`.

### Issue Context
`sawTrustFailure` aggregates failures from dotnet store trust, OpenSSL rehash, and NSS DB trust operations.

### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[333-344]
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[408-413]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


return sawTrustFailure
Expand Down Expand Up @@ -948,9 +991,18 @@ private static bool TryRehashOpenSslCertificates(string certificateDirectory)
return true;
}

private sealed class NssDb(string path, bool isFirefox)
private sealed class NssDb
{
public string Path => path;
public bool IsFirefox => isFirefox;
private readonly string _path;
private readonly bool _isFirefox;

public NssDb(string path, bool isFirefox)
{
_path = path;
_isFirefox = isFirefox;
}

public string Path => _path;
public bool IsFirefox => _isFirefox;
Comment on lines +994 to +1006
Copy link
Copy Markdown

@qodo-code-review qodo-code-review Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

1. Nssdb missing primary constructor 📘 Rule violation ✓ Correctness

The NssDb type was changed from a C# 12 primary constructor to a traditional constructor with
backing fields, despite being a simple parameter-to-member assignment pattern. This violates the
repository convention to prefer primary constructors for this scenario and adds unnecessary
boilerplate.
Agent Prompt 
## Issue description
`NssDb` is a simple value-carrying type but was converted from a primary constructor to a traditional constructor with backing fields, adding boilerplate and violating the primary-constructor convention.

## Issue Context
This rule expects simple parameter-to-member assignment patterns to use C# 12 primary constructors.

## Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[994-1006]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

}
}
8 changes: 6 additions & 2 deletions src/Tools/dotnet-dev-certs/src/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,16 +124,20 @@ public static int Main(string[] args)
{
var reporter = new ConsoleReporter(PhysicalConsole.Singleton, verbose.HasValue(), quiet.HasValue());

var listener = new ReporterEventListener(reporter);
if (verbose.HasValue())
{
var listener = new ReporterEventListener(reporter);
listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.Verbose);
}
else
{
listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.LogAlways);
}
Comment on lines +127 to +135
Copy link
Copy Markdown

@qodo-code-review qodo-code-review Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

4. Event format-string crash 🐞 Bug ⛯ Reliability

CertificateManagerEventSource event 111’s message uses placeholder {2} but only two payload
arguments are supplied, and ReporterEventListener always calls string.Format on the message. With
this PR enabling the listener at LogAlways in non-verbose runs, emitting event 111 will throw a
FormatException and can crash dotnet-dev-certs.
Agent Prompt 
### Issue description
Event 111’s format string references `{2}` but only two arguments are passed to `WriteEvent`, and the console event listener always calls `string.Format`, which will throw and can terminate the tool.

### Issue Context
This PR enables the listener even when not verbose (LogAlways), making this crash user-visible.

### Fix Focus Areas
- src/Shared/CertificateGeneration/CertificateManager.cs[1307-1309]
- src/Tools/dotnet-dev-certs/src/ReporterEventListener.cs[21-35]
- src/Tools/dotnet-dev-certs/src/Program.cs[123-135]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


if (checkJsonOutput.HasValue())
{
if (exportPath.HasValue() || trust?.HasValue() == true || format.HasValue() || noPassword.HasValue() || check.HasValue() || clean.HasValue() ||
(!import.HasValue() && password.HasValue()) ||
(!import.HasValue() && password.HasValue()) ||
(import.HasValue() && !password.HasValue()))
{
reporter.Error(InvalidUsageErrorMessage);
Expand Down