Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Adding SSL certificates to Docker linux container

Tags:

Expected behavior Being able to make HTTPs calls from within the container

Actual behavior

System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://identity.test/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://identity.test/.we
ll-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL connect error

Information I think the problem is that my container doesn't know at all about the certificates that need to be used for this http call. So what I tried to do is providing them to the container itself through the dockerfile that looks like this:

FROM microsoft/aspnetcore-build:2.0 AS build-env
WORKDIR /app

#Copy csproj and restore as distinct layers
COPY PublishOutput/. ./

FROM microsoft/aspnetcore:2.0
WORKDIR /app
COPY --from=build-env /app .

COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate
RUN update-ca-certificates

ENTRYPOINT ["dotnet", "CaseApi.Web.dll"]

Inside the PublishOutput folder I just have all the dlls of my .net core api that I need to run inside the Docker container.

When I build the dockerfile it says:

Step 8/9 : RUN update-ca-certificates
 ---> Running in b025a42f2edc
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

which makes me think that the certificate I want to use isn't being really used. What am I doing wrong? Thanks in advance!

like image 273
Tarta Avatar asked Jul 13 '18 11:07

Tarta


People also ask

Where do I put SSL files in Linux?

The default location to install certificates is /etc/ssl/certs . This enables multiple services to use the same certificate without overly complicated file permissions. For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.

Where are certificates stored in Docker container?

A custom certificate is configured by creating a directory under /etc/docker/certs.


2 Answers

Steps to follow:

1) Make sure the extension of the certificates is .crt

2) Open the certificates to Notepad++ or similar

3) Copy the certificates into /usr/local/share/ca-certificates/ . The update-ca-certificates command reads the certificates from that folder: http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html

4) After these steps building the dockerfile should result in NOT saying anymore 0 added, 0 removed; but 1 added, 0 removed; or similar, depending on how many certificates you added

5) solution may not be there yet. Certificates depend on a hierarchy of other certificates. I am in windows and by going to the Certificate Manager I can see that my certificate depends on 2 higher ones (this is shown in the Certification Path):

Certification Path

Thus, you need to be sure to put into /usr/local/share/ca-certificates/ ALL the certificates in the hierarchy.

6) Still, you might be thinking to pass the right certificates but maybe you are not. In my case IdentityServer was hosted on IIS, in the bindings I could see that IdentityServer was indeed expecting calls through https and by double-clicking on the binding I could see the certificate that IdentityServer requires for accepting the call.

like image 132
Tarta Avatar answered Sep 28 '22 18:09

Tarta


Probably the problem is in update-ca-certificates. The command only process files with the extension .crt. From its man page:

Certificates must have a .crt extension in order to be included by update-ca-certificates.

So just add this extension when copying the certificate in the Dockerfile:

COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate.crt
like image 43
Ignacio Millán Avatar answered Sep 28 '22 18:09

Ignacio Millán