I ran into this issue earlier today after updating Visual Studio for Mac. I had tried debugging a site, and was met with the error message in Safari that it couldn't establish a secure connection with the server. Kestrel was running, and the port was correctly open -- it's just that the SSL/TLS negotiation was failing.
I'd had to trust the development certificate before, so I ran:
dotnet dev-certs https --trust
And was met with this output:
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.
I figured that perhaps the development certificate was expired or had changed, so I tried to run the following command to remove it (intending to trust the current version afterward):
dotnet dev-certs https --clean
But unfortunately, I was met with this error message:
Cleaning HTTPS development certificates from the machine. This operation might require elevated privileges. If that is the case, a prompt for credentials will be displayed.
Password:[Entered sudo password here]
There was an error trying to clean HTTPS development certificates on this machine.
Removing the requested certificate would modify user trust settings, and has been denied.
Which was frustrating. I needed to open Keychain Access and find the certificate, which is just named localhost:
The certificate expiration date was actually still in the future, so the certificate itself was still valid. Though the one being used by dotnet was now different. Anyway, to fix the issue, I manually deleted the localhost certificate you see in the above screenshot. Then I ran the following command again:
dotnet dev-certs https --trust
And thankfully got the following output:
The HTTPS developer certificate was generated successfully.
After that, debugging and connecting to the local Kestrel instance worked correctly again.