dotnet · davidfowl · May 19, 2025 · May 19, 2025 · May 19, 2025 · May 19, 2025
diff --git a/src/Aspire.Cli/Certificates/CertificateService.cs b/src/Aspire.Cli/Certificates/CertificateService.cs
@@ -50,11 +50,27 @@ public async Task EnsureCertificatesTrustedAsync(IDotNetCliRunner runner, Cancel
 
             if (trustExitCode != 0)
             {
+                var outputLines = ensureCertificateCollector.GetLines();
+
+                if (outputLines.Any(line => line.Line == DevCertsPartialTrustMessage))
+                {
+                    // On some platforms the trust command may return with a non-zero exit code by still
+                    // be functional enough to work for .NET Aspire. This is a workaround for that non-zero
+                    // exit code that allows the CLI to continue starting up the apphost. We want to warn
+                    // when this happens so we know we are hitting this corner case.
+                    interactionService.DisplayMessage(
+                        "warning",
+                        "The HTTPS developer certificate is partially trusted. Some clients may not work correctly.");
+                    return;
+                }
+
                 interactionService.DisplayLines(ensureCertificateCollector.GetLines());
                 throw new CertificateServiceException($"Failed to trust certificates, trust command failed with exit code: {trustExitCode}");
             }
         }
     }
+
+    private const string DevCertsPartialTrustMessage = "There was an error trusting the HTTPS developer certificate. It will be trusted by some clients but not by others.";
 }
 
 public sealed class CertificateServiceException(string message) : Exception(message)

diff --git a/tests/Aspire.Cli.Tests/Certificates/CertificateServiceTests.cs b/tests/Aspire.Cli.Tests/Certificates/CertificateServiceTests.cs
@@ -0,0 +1,67 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Aspire.Cli.Certificates;
+using Aspire.Cli.Tests.TestServices;
+using Aspire.Cli.Tests.Utils;
+using Microsoft.Extensions.DependencyInjection;
+using Xunit;
+
+namespace Aspire.Cli.Tests.Certificates;
+
+public class CertificateServiceTests(ITestOutputHelper outputHelper)
+{
+    [Fact]
+    public async Task EnsureCertificatesTrustedAsyncSucceedsOnExitCode4IfPartialTrustMessageDetected()
+    {
+        var services = CliTestHelper.CreateServiceCollection(outputHelper, options =>
+        {
+            options.DotNetCliRunnerFactory = sp =>
+            {
+                var runner = new TestDotNetCliRunner();
+                runner.CheckHttpCertificateAsyncCallback = (_, _) => 1;
+                runner.TrustHttpCertificateAsyncCallback = (options, _) =>
+                {
+                    Assert.NotNull(options.StandardErrorCallback);
+                    options.StandardErrorCallback!.Invoke("There was an error trusting the HTTPS developer certificate. It will be trusted by some clients but not by others.");
+                    return 4;
+                };
+                return runner;
+            };
+        });
+
+        var sp = services.BuildServiceProvider();
+        var cs = sp.GetRequiredService<ICertificateService>();
+        var runner = sp.GetRequiredService<IDotNetCliRunner>();
+
+        // If this does not throw then the code is behaving correctly.
+        await cs.EnsureCertificatesTrustedAsync(runner, TestContext.Current.CancellationToken).WaitAsync(CliTestConstants.DefaultTimeout);
+    }
+
+    [Fact]
+    public async Task EnsureCertificatesTrustedAsyncFailsOnExitCode4IfPartialTrustMessageNotDetected()
+    {
+        var services = CliTestHelper.CreateServiceCollection(outputHelper, options =>
+        {
+            options.DotNetCliRunnerFactory = sp =>
+            {
+                var runner = new TestDotNetCliRunner();
+                runner.CheckHttpCertificateAsyncCallback = (_, _) => 1;
+                runner.TrustHttpCertificateAsyncCallback = (options, _) => 4;
+                return runner;
+            };
+        });
+
+        var sp = services.BuildServiceProvider();
+        var cs = sp.GetRequiredService<ICertificateService>();
+        var runner = sp.GetRequiredService<IDotNetCliRunner>();
+
+        var ex = await Assert.ThrowsAsync<CertificateServiceException>(async () =>
+        {
+            await cs.EnsureCertificatesTrustedAsync(runner, TestContext.Current.CancellationToken).WaitAsync(CliTestConstants.DefaultTimeout);
+
+        });
+
+        Assert.Equal("Failed to trust certificates, trust command failed with exit code: 4", ex.Message);
+    }
+}