[英]Adding SSL certificates to Docker linux container
Expected behavior Being able to make HTTPs calls from within the container预期行为能够从容器内进行 HTTPs 调用
Actual behavior实际行为
System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://identity.test/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://identity.test/.we
ll-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL connect error
Information I think the problem is that my container doesn't know at all about the certificates that need to be used for this http call.信息我认为问题是我的容器根本不知道这个 http 调用需要使用的证书。 So what I tried to do is providing them to the container itself through the dockerfile that looks like this:
所以我试图做的是通过 dockerfile 将它们提供给容器本身,如下所示:
FROM microsoft/aspnetcore-build:2.0 AS build-env
WORKDIR /app
#Copy csproj and restore as distinct layers
COPY PublishOutput/. ./
FROM microsoft/aspnetcore:2.0
WORKDIR /app
COPY --from=build-env /app .
COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate
RUN update-ca-certificates
ENTRYPOINT ["dotnet", "CaseApi.Web.dll"]
Inside the PublishOutput folder I just have all the dlls of my .net core api that I need to run inside the Docker container.在PublishOutput文件夹中,我只有 .net 核心 api 的所有 dll,我需要在 Docker 容器中运行。
When I build the dockerfile it says:当我构建 dockerfile 时,它说:
Step 8/9 : RUN update-ca-certificates
---> Running in b025a42f2edc
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
which makes me think that the certificate I want to use isn't being really used.这让我觉得我想使用的证书并没有被真正使用。 What am I doing wrong?
我究竟做错了什么? Thanks in advance!
提前致谢!
Probably the problem is in update-ca-certificates
. 可能问题出在
update-ca-certificates
。 The command only process files with the extension .crt
. 该命令仅处理扩展名为
.crt
文件。 From its man page: 从其手册页:
Certificates must have a .crt extension in order to be included by update-ca-certificates.
证书必须具有.crt扩展名才能包含在update-ca-certificates中。
So just add this extension when copying the certificate in the Dockerfile: 因此,只需在Dockerfile中复制证书时添加此扩展名:
COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate.crt
Steps to follow: 要遵循的步骤:
1) Make sure the extension of the certificates is .crt 1)确保证书的扩展名为.crt
2) Open the certificates to Notepad++ or similar 2)打开证书到Notepad ++或类似
3) Copy the certificates into /usr/local/share/ca-certificates/ . 3)将证书复制到/ usr / local / share / ca-certificates /。 The update-ca-certificates command reads the certificates from that folder: http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html
update-ca-certificates命令从该文件夹中读取证书: http : //manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html
4) After these steps building the dockerfile should result in NOT saying anymore 0 added, 0 removed; 4)在这些步骤之后构建dockerfile应该导致不再说0添加,0删除; but 1 added, 0 removed;
但添加了1,删除了0; or similar, depending on how many certificates you added
或类似的,取决于您添加的证书数量
5) solution may not be there yet. 5)解决方案可能还没有。 Certificates depend on a hierarchy of other certificates.
证书取决于其他证书的层次结构。 I am in windows and by going to the Certificate Manager I can see that my certificate depends on 2 higher ones (this is shown in the Certification Path):
我在Windows中,通过转到证书管理器,我可以看到我的证书取决于2个更高的证书(这在证书路径中显示):
Thus, you need to be sure to put into /usr/local/share/ca-certificates/ ALL the certificates in the hierarchy. 因此,您需要确保将/ usr / local / share / ca-certificates /所有证书放入层次结构中。
6) Still, you might be thinking to pass the right certificates but maybe you are not. 6)尽管如此,你可能会考虑通过正确的证书,但也许你不是。 In my case IdentityServer was hosted on IIS, in the bindings I could see that IdentityServer was indeed expecting calls through https and by double-clicking on the binding I could see the certificate that IdentityServer requires for accepting the call.
在我的情况下,IdentityServer托管在IIS上,在绑定中我可以看到IdentityServer确实期望通过https进行调用,双击绑定我可以看到IdentityServer接受调用所需的证书。
If you created your certificate correctly, it should automatically have the *.crt extension.如果您正确创建了证书,它应该自动具有 *.crt 扩展名。 Revisit how you created your certificate.
重新审视您是如何创建证书的。 Be sure that the certificate domain info is the same as your actual domain name.
请确保证书域信息与您的实际域名相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.