Menu
I am running an ASP.NET Core 1.1 Web API in a Docker 1.13.1 container on Ubuntu 14.04.
When the code attempts to retrieve some data from an HTTPS server, I get this certificate authentication error:
An error occurred while sending the request. ---> System.Net.Http.CurlException: Peer certificate cannot be authenticated with given CA certificates
at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
The HTTPS server is internal with certificate signed by our corporate CA, so am aware that I may need to register the internal CA.
Everything I've found so far about this error and Docker talks to getting docker itself running, connecting to repos etc. My Docker is working fine, and the Web API runs on the Ubuntu server outside of the container without a problem.
1) Do I need to add a CA root certificate inside a docker image?
2) If so, how do I do it?
3) If not, how do I fix this?
656
First step is to be able download anythink using apk. Second step (the step you are asking) is to download ca-certificates tool and then add CA standard way with calling update-ca-certificates.
Click the Windows Start button. In the search box, begin typing mmc.exe, right-click the mmc.exe entry in the search results and select Run as Administrator. Select File > Add/Remove Snap-in. Select Certificates and click Add.
The task itself is not specific to docker as you would need to add that CA on a normal system too. There is an answer on the askubuntu community on how to do this.
So in a Dockerfile you would do the following (don't forget chmod in case you're running the container with a user other than root):
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
To simplify/standardise all container builds, we now host our certificates on a central HTTPS server and build them into our containers like this:
# Debian stretch based container
RUN curl -ks 'https://cert.host.server/ssl_certs/EnterpriseRootCA.crt' -o '/usr/local/share/ca-certificates/EnterpriseRootCA.crt'
RUN /usr/sbin/update-ca-certificates
Alpine-based containers don't have the tools immediately available so require a bit more work to achieve the same:
# Alpine based containers
RUN apk update && apk add curl
WORKDIR /usr/local/share/ca-certificates
RUN curl -ks 'https://cert.host.server/ssl_certs/EnterpriseRootCA.crt' -o '/usr/local/share/ca-certificates/EnterpriseRootCA.crt'
RUN /usr/sbin/update-ca-certificates
If you also want to update your Java truststore (same as on any computer):
RUN keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias EnterpriseRootCA -file EnterpriseRootCA.crt
It's also worth noting that this definitely needs to use the .crt extension. I initially tried this with a .pem cert file (I thought they were interchangeable, so others might also), which is not linked by update-ca-certificates.
31
Installing ca-certificates locate cert_file_name.crt file in the same directory as Dockerfile.
# Install ca-certificates
# Please locate cert_file_name.crt file in the same directory as Dockerfile.
COPY cert_file_name.crt /usr/share/ca-certificates/
RUN echo cert_file_name.crt >> /etc/ca-certificates.conf
RUN update-ca-certificates
This will update certificates in the Dockerfile.
9
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
