Expected behavior Being able to make HTTPs calls from within the container
Actual behavior
System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://identity.test/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://identity.test/.we
ll-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL connect error
Information I think the problem is that my container doesn't know at all about the certificates that need to be used for this http call. So what I tried to do is providing them to the container itself through the dockerfile that looks like this:
FROM microsoft/aspnetcore-build:2.0 AS build-env
WORKDIR /app
#Copy csproj and restore as distinct layers
COPY PublishOutput/. ./
FROM microsoft/aspnetcore:2.0
WORKDIR /app
COPY --from=build-env /app .
COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate
RUN update-ca-certificates
ENTRYPOINT ["dotnet", "CaseApi.Web.dll"]
Inside the PublishOutput folder I just have all the dlls of my .net core api that I need to run inside the Docker container.
When I build the dockerfile it says:
Step 8/9 : RUN update-ca-certificates
---> Running in b025a42f2edc
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
which makes me think that the certificate I want to use isn't being really used. What am I doing wrong? Thanks in advance!
The default location to install certificates is /etc/ssl/certs . This enables multiple services to use the same certificate without overly complicated file permissions. For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.
A custom certificate is configured by creating a directory under /etc/docker/certs.
Steps to follow:
1) Make sure the extension of the certificates is .crt
2) Open the certificates to Notepad++ or similar
3) Copy the certificates into /usr/local/share/ca-certificates/ . The update-ca-certificates command reads the certificates from that folder: http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html
4) After these steps building the dockerfile should result in NOT saying anymore 0 added, 0 removed; but 1 added, 0 removed; or similar, depending on how many certificates you added
5) solution may not be there yet. Certificates depend on a hierarchy of other certificates. I am in windows and by going to the Certificate Manager I can see that my certificate depends on 2 higher ones (this is shown in the Certification Path):
Thus, you need to be sure to put into /usr/local/share/ca-certificates/ ALL the certificates in the hierarchy.
6) Still, you might be thinking to pass the right certificates but maybe you are not. In my case IdentityServer was hosted on IIS, in the bindings I could see that IdentityServer was indeed expecting calls through https and by double-clicking on the binding I could see the certificate that IdentityServer requires for accepting the call.
Probably the problem is in update-ca-certificates
. The command only process files with the extension .crt
. From its man page:
Certificates must have a .crt extension in order to be included by update-ca-certificates.
So just add this extension when copying the certificate in the Dockerfile:
COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate.crt
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With