如何允许从本地主机和容器到ASP.NET Core Web API应用程序的HTTPS连接?

问题描述 投票:1回答:1

我正在尝试将Docker用于现有应用程序,并且遇到以下问题。当API尝试从容器中获取Identity Server元数据时,它将失败,并显示以下内容:

web_api          | System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api          |  ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api          |  ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
web_api          |  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. 

主机浏览器确实确认了这一点(Chrome中的认证错误)。

如果我使用本地主机而不是host.docker.internal访问相同的元数据,则它将按预期工作。

我已使用here中的说明来创建并信任身份服务器也使用的本地证书:

dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p { password here }
dotnet dev-certs https --trust

我假定这些说明仅为本地主机创建证书,但是我试图获得一种适用于host.docker.internal的解决方案。

问题:如何允许从本地主机和容器到ASP.NET Core Web API应用程序的HTTPS连接?

docker asp.net-core https ssl-certificate
1个回答
0
投票

我认为您是对的-dotnet dev-certs仅为localhost生成证书。据我所知是不可配置的。因此,看来您将必须生成自己的自签名证书并信任它。一种方法是使用Powershell's New-SelfSignedCertificate

#create a SAN cert for both host.docker.internal and localhost
$cert = New-SelfSignedCertificate -DnsName "host.docker.internal", "localhost" -CertStoreLocation cert:\localmachine\my

#export it for docker container to pick up later
$password = ConvertTo-SecureString -String "123123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\https\aspnetapp.pfx -Password $password

# trust it on your host machine
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "TrustedPublisher","LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

假设您使用Microsoft提供的用于应用程序的基本映像,以提示Kestrel选择新证书,您可能必须像这样run docker

docker pull your_docker_image
docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="123123" -e ASPNETCORE_Kestrel__Certificates__Default__Path=\https\aspnetapp.pfx -v %USERPROFILE%\.aspnet\https:C:\https\ your_docker_image

docker run <your image> --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="123123" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx

注意,我将证书导出到C:\https,然后将其安装到容器上。

您可能必须尝试使用​​路径和域名,但希望可以为您提供一个起点。

© www.soinside.com 2019 - 2024. All rights reserved.