locked
Client certificate fails in the validation procedure on linux and docker container RRS feed

  • Question

  • User-853338311 posted

    With the instructions from below document and code snippet like this, it doesn't work when I tried to debug with docker in visual studio or debug on linux with vscode.  The site is up and I can see the log from console the app server is listening on port but when I try to access the site with `https://localhost:32834/weatherforecast/` in browser of host machine, the request is terminated as `ERR_CONNECTION_CLOSED` on TLS negotiation level and it doesn't enter into aspnet core http pipeline.  

    Same code works when I run with IISExpress or dotnet exe. 

    public static void Main(string[] args)
            {
                CreateHostBuilder(args).Build().Run();
            }
    
            public static IHostBuilder CreateHostBuilder(string[] args) =>
                Host.CreateDefaultBuilder(args)
                    .ConfigureWebHostDefaults(webBuilder =>
                    {
                        webBuilder.CaptureStartupErrors(true);
                        webBuilder.UseStartup<Startup>();
                        webBuilder.ConfigureKestrel(o =>
                        {
                            o.ConfigureHttpsDefaults(o =>
                                {
                                    o.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                                    o.ServerCertificate = new X509Certificate2("xxx.pfx", string.Empty);
                                });
                        });
                        webBuilder.UseUrls("https://+:5003");
                    });

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1#configure-your-server-to-require-certificates

    The error in the console:

    Exception thrown: 'System.Security.Authentication.AuthenticationException' in System.Private.CoreLib.dll: 'The remote certificate is invalid according to the validation procedure.'
    Stack trace:
     >   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() in /_/src/System.Private.CoreLib/shared/System/Runtime/ExceptionServices/ExceptionDispatchInfo.cs:line 63

    Any idea why there's different behavior between linux and windows. How can I make it work on linux container?

    Wednesday, August 5, 2020 11:49 PM

All replies

  • User-474980206 posted

    You need to install the certificates in the docker image, so they are available. See this thread

      https://github.com/moby/moby/issues/21189

    Thursday, August 6, 2020 2:25 PM
  • User-853338311 posted

    Thanks Bruce, which certificate do you refer to install in the docker image? Server certificate or client certificate? Client certificate will be loaded in the client side(already installed on host machine). I have the server certificate called xxx.pfx existed in the image and load it in the code.  

    Thursday, August 6, 2020 3:11 PM