We're using FiddlerCore to intercept HTTPS requests in our application and we're intermittently getting errors when creating certificates for the interception. Everything starts off fine Fiddler happily creates certificates for each destination. We then kick off a large number of threads, many accessing the same website, and we start to get the following log output.
2013-07-18 16:04:36.858 [40] [DEBUG] - /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=
www.example.com, O=DO_NOT_TRUST, OU=Created by
http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012
2013-07-18 16:04:37.061 [40] [DEBUG] - /Fiddler.CertMaker>40-CreateCert(
www.example.com) => (-1)
Results from MakeCert.exe -pe -ss my -n "CN=
www.example.com, O=DO_NOT_TRUST, OU=Created by
http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012
Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------
2013-07-18 16:04:37.061 [40] [DEBUG] - Fiddler.CertMaker> [MakeCert.exe -pe -ss my -n "CN=
www.example.com, O=DO_NOT_TRUST, OU=Created by
http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012] Returned Error: Creation of the interception certificate failed.
makecert.exe returned -1.
Results from MakeCert.exe -pe -ss my -n "CN=
www.example.com, O=DO_NOT_TRUST, OU=Created by
http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012
Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------
2013-07-18 16:04:37.061 [40] [DEBUG] - !Fiddler.CertMaker> Tried to create cert for
www.example.com, but can't find it from thread 40!
2013-07-18 16:04:37.061 [40] [DEBUG] - fiddler.https> Failed to obtain certificate for
www.example.com due to Certificate Maker returned null when asked for a certificate for
www.example.comThis seems to start happening when two or more threads try to make the same certificate. I've poked around in the source using Reflector and it looks like certificate creation is enclosed in a writer lock so I'm struggling to see how there could be a race condition there.
If I try to run this command from the command line it continues to fail but if I have FiddlerCore re-install the root certificate it magically starts working again! Is there some way that makecert could be corrupting the root certificate?