When I try to connect to a remote endpoint from my dockerized web api core app, I'm getting the following error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
When running this same app outside of Docker, it works as expected. I believe the issue is that our organization uses self-signed certs. The complete chain is loaded on my local machine, but I can't get it installed on Docker so the web api app will recognize it.
After loading the certs in my Dockerfile (see details below), I am able to connect to the remote site with openssl and curl successfully from my Dockerfile:
RUN openssl s_client -connect REMOTE.ENDPOINT:443 -servername REMOTE.ENDPOINT -verify_hostname REMOTE.ENDPOINT
...snip...
Verification: OK
...snip...
RUN curl --verbose https://REMOTE.ENDPOINT
...snip...
SSL certificate verify ok.
Note that these openssl and curl calls are the last things in my Dockerfile so I expected everything would be setup for my app to see and use the certs as well.
Here's how I'm adding the self-signed certs to the docker image in the Dockerfile
ADD localEc.crt /usr/local/share/ca-certificates/localEc.crt
RUN chmod 644 /usr/local/share/ca-certificates/localEc.crt && update-ca-certificates
When the app runs, I've verified my cert is not in /etc/ssl/certs/ca-certificates.crt and my cert file is not in /etc/ssl/certs. Although I don't think it should be necessary, I have tried copying the certs to the image directly:
COPY --from=build /etc/ssl/certs/ /etc/ssl/certs/
COPY ["/etc/ssl/certs", "/etc/ssl/certs"]
What am I missing?
I do know that I can override the ssl validation process to allow this cert, but I'd rather fix the root issue (and avoid all the discussion that would be caused by the workaround <g>).
I finally figured it out. I didn't fully understand how the staged docker build process works. It seems that when debugging, Visual Studio only uses the first stage of the dockerfile and I was adding the certificates in the last stage. This article clarified the Docker build process.