简体   繁体   English

添加 SSL 证书到 Docker linux 容器

[英]Adding SSL certificates to Docker linux container

Expected behavior Being able to make HTTPs calls from within the container预期行为能够从容器内进行 HTTPs 调用

Actual behavior实际行为

System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://identity.test/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://identity.test/.we
ll-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL connect error

Information I think the problem is that my container doesn't know at all about the certificates that need to be used for this http call.信息我认为问题是我的容器根本不知道这个 http 调用需要使用的证书。 So what I tried to do is providing them to the container itself through the dockerfile that looks like this:所以我试图做的是通过 dockerfile 将它们提供给容器本身,如下所示:

FROM microsoft/aspnetcore-build:2.0 AS build-env
WORKDIR /app

#Copy csproj and restore as distinct layers
COPY PublishOutput/. ./

FROM microsoft/aspnetcore:2.0
WORKDIR /app
COPY --from=build-env /app .

COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate
RUN update-ca-certificates

ENTRYPOINT ["dotnet", "CaseApi.Web.dll"]

Inside the PublishOutput folder I just have all the dlls of my .net core api that I need to run inside the Docker container.PublishOutput文件夹中,我只有 .net 核心 api 的所有 dll,我需要在 Docker 容器中运行。

When I build the dockerfile it says:当我构建 dockerfile 时,它说:

Step 8/9 : RUN update-ca-certificates
 ---> Running in b025a42f2edc
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

which makes me think that the certificate I want to use isn't being really used.这让我觉得我想使用的证书并没有被真正使用。 What am I doing wrong?我究竟做错了什么? Thanks in advance!提前致谢!

Probably the problem is in update-ca-certificates . 可能问题出在update-ca-certificates The command only process files with the extension .crt . 该命令仅处理扩展名为.crt文件。 From its man page: 从其手册页:

Certificates must have a .crt extension in order to be included by update-ca-certificates. 证书必须具有.crt扩展名才能包含在update-ca-certificates中。

So just add this extension when copying the certificate in the Dockerfile: 因此,只需在Dockerfile中复制证书时添加此扩展名:

COPY Certificates/myCertificate.cer /usr/local/share/ca-certificates/myCertificate.crt

Steps to follow: 要遵循的步骤:

1) Make sure the extension of the certificates is .crt 1)确保证书的扩展名为.crt

2) Open the certificates to Notepad++ or similar 2)打开证书到Notepad ++或类似

3) Copy the certificates into /usr/local/share/ca-certificates/ . 3)将证书复制到/ usr / local / share / ca-certificates /。 The update-ca-certificates command reads the certificates from that folder: http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html update-ca-certificates命令从该文件夹中读取证书: http//manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html

4) After these steps building the dockerfile should result in NOT saying anymore 0 added, 0 removed; 4)在这些步骤之后构建dockerfile应该导致不再说0添加,0删除; but 1 added, 0 removed; 添加了1,删除了0; or similar, depending on how many certificates you added 或类似的,取决于您添加的证书数量

5) solution may not be there yet. 5)解决方案可能还没有。 Certificates depend on a hierarchy of other certificates. 证书取决于其他证书的层次结构。 I am in windows and by going to the Certificate Manager I can see that my certificate depends on 2 higher ones (this is shown in the Certification Path): 我在Windows中,通过转到证书管理器,我可以看到我的证书取决于2个更高的证书(这在证书路径中显示):

认证路径

Thus, you need to be sure to put into /usr/local/share/ca-certificates/ ALL the certificates in the hierarchy. 因此,您需要确保将/ usr / local / share / ca-certificates /所有证书放入层次结构中。

6) Still, you might be thinking to pass the right certificates but maybe you are not. 6)尽管如此,你可能会考虑通过正确的证书,但也许你不是。 In my case IdentityServer was hosted on IIS, in the bindings I could see that IdentityServer was indeed expecting calls through https and by double-clicking on the binding I could see the certificate that IdentityServer requires for accepting the call. 在我的情况下,IdentityServer托管在IIS上,在绑定中我可以看到IdentityServer确实期望通过https进行调用,双击绑定我可以看到IdentityServer接受调用所需的证书。

If you created your certificate correctly, it should automatically have the *.crt extension.如果您正确创建了证书,它应该自动具有 *.crt 扩展名。 Revisit how you created your certificate.重新审视您是如何创建证书的。 Be sure that the certificate domain info is the same as your actual domain name.请确保证书域信息与您的实际域名相同。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM