Ubuntu 上的 docker ASP.NET Core 8 HTTPS 中的 pfx 证书出现权限被拒绝错误

我正在尝试在 ubuntu 22.04 VM 上的 Docker 中托管 HTTPS Web API。我按照以下文档进行操作：https://learn.microsoft.com/en-us/aspnet/core/security/docker-https?view=aspnetcore-8.0

这是我的 docker-compose.yml

version: '3.6'
services:
    docker-demo:
    
        image:
            webapi-docker-demo-https-jammy:v3
        ports:
            - 8081:8080
            - 8082:8081
        environment:
             - Logging__LogLevel__Default=Debug
             - Logging__Loglevel__Microsoft.AspNetCore=Debug
#             - ASPNETCORE_ENVIRONMENT=Development
             - ASPNETCORE_URLS=https://+:8081;http://+:8080
             - ASPNETCORE_HTTP_PORTS=8080
             - ASPNETCORE_HTTPS_PORTS=8081
#             - ASPNETCORE_URLS=https://+:443;http://+:80
             - ASPNETCORE_Kestrel__Certificates__Default__Password= password
             - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/webapi-docker-demo.pfx
        volumes:
             - /home/.aspnet/https/webapi-docker-demo.pfx:/https/webapi-docker-demo.pfx:ro

         

在我的主机 Ubuntu VM 上，我的文件夹中有 pfx 证书

/home/.aspnet/https/webapi-docker-demo.pfx

我的 Dockerfile 是

 #See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base
USER app
WORKDIR /app
EXPOSE 8080
EXPOSE 8081

FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["webapi-docker-demo/webapi-docker-demo.csproj", "webapi-docker-demo/"]
RUN dotnet restore "./webapi-docker-demo/webapi-docker-demo.csproj"
COPY . .
WORKDIR "/src/webapi-docker-demo"
RUN dotnet build "./webapi-docker-demo.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./webapi-docker-demo.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .

#ENV ASPNETCORE_URLS="https://+;http://+"
#ENV ASPNETCORE_HTTPS_PORT=8081
#ENV ASPNETCORE_Kestrel__Certificates__Default__Password="password"
#ENV ASPNETCORE_Kestrel__Certificates__Default__Path="https://webapi-docker-demo.pfx"


USER $APP_UID
ENTRYPOINT ["dotnet", "webapi-docker-demo.dll"]

当我运行 docker compose 文件时，我看到以下错误

dbug: Microsoft.Extensions.Hosting.Internal.Host[1]
docker-demo-1  |       Hosting starting
docker-demo-1  | warn: Microsoft.AspNetCore.Hosting.Diagnostics[15]
docker-demo-1  |       Overriding HTTP_PORTS '8080' and HTTPS_PORTS '8081'. Binding to values defined by URLS instead 'https://+:8081;http://+:8080'.
docker-demo-1  | fail: Microsoft.Extensions.Hosting.Internal.Host[11]
docker-demo-1  |       Hosting failed to start
docker-demo-1  |       System.UnauthorizedAccessException: Access to the path '/https/webapi-docker-demo.pfx' is denied.
docker-demo-1  |        ---> System.IO.IOException: Permission denied
docker-demo-1  |          --- End of inner exception stack trace ---

完整错误文本：

ubuntu@ubuntu2204-vm:~$ sudo docker compose -f webapi-docker-demo/docker-compose-https.yaml up
WARN[0000] /home/ubuntu/webapi-docker-demo/docker-compose-https.yaml: `version` is obsolete 
[+] Running 1/1
 ✔ Container webapi-docker-demo-docker-demo-1  Recreated                                                                                                                                               0.2s 
Attaching to docker-demo-1
docker-demo-1  | dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ModelBinderFactory[12]
docker-demo-1  |       Registered model binder providers, in the following order: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BinderTypeModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.ServicesModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.HeaderModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.FloatingPointTypeModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.EnumTypeModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.DateTimeModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.SimpleTypeModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.TryParseModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.CancellationTokenModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.ByteArrayModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.FormFileModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.FormCollectionModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.KeyValuePairModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.DictionaryModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.ArrayModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.CollectionModelBinderProvider, Microsoft.AspNetCore.Mvc.ModelBinding.Binders.ComplexObjectModelBinderProvider
docker-demo-1  | dbug: Microsoft.Extensions.Hosting.Internal.Host[1]
docker-demo-1  |       Hosting starting
docker-demo-1  | warn: Microsoft.AspNetCore.Hosting.Diagnostics[15]
docker-demo-1  |       Overriding HTTP_PORTS '8080' and HTTPS_PORTS '8081'. Binding to values defined by URLS instead 'https://+:8081;http://+:8080'.
docker-demo-1  | fail: Microsoft.Extensions.Hosting.Internal.Host[11]
docker-demo-1  |       Hosting failed to start
docker-demo-1  |       System.UnauthorizedAccessException: Access to the path '/https/webapi-docker-demo.pfx' is denied.
docker-demo-1  |        ---> System.IO.IOException: Permission denied
docker-demo-1  |          --- End of inner exception stack trace ---
docker-demo-1  |          at Microsoft.Win32.SafeHandles.SafeFileHandle.Init(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Int64& fileLength, UnixFileMode& filePermissions)
docker-demo-1  |          at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
docker-demo-1  |          at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
docker-demo-1  |          at System.IO.StreamReader.ValidateArgsAndOpenPath(String path, Encoding encoding, Int32 bufferSize)
docker-demo-1  |          at System.IO.File.ReadAllText(String path, Encoding encoding)
docker-demo-1  |          at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.ImportFromPemFile(String certPemFilePath)
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.Core.TlsConfigurationLoader.LoadDefaultCertificate(ConfigurationReader configurationReader)
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadInternal()
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
docker-demo-1  |          at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
docker-demo-1  |          at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
docker-demo-1  |          at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)
docker-demo-1  |          at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)
docker-demo-1  | Unhandled exception. System.UnauthorizedAccessException: Access to the path '/https/webapi-docker-demo.pfx' is denied.
docker-demo-1  |  ---> System.IO.IOException: Permission denied
docker-demo-1  |    --- End of inner exception stack trace ---
docker-demo-1  |    at Microsoft.Win32.SafeHandles.SafeFileHandle.Init(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Int64& fileLength, UnixFileMode& filePermissions)
docker-demo-1  |    at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
docker-demo-1  |    at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
docker-demo-1  |    at System.IO.StreamReader.ValidateArgsAndOpenPath(String path, Encoding encoding, Int32 bufferSize)
docker-demo-1  |    at System.IO.File.ReadAllText(String path, Encoding encoding)
docker-demo-1  |    at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.ImportFromPemFile(String certPemFilePath)
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.Core.TlsConfigurationLoader.LoadDefaultCertificate(ConfigurationReader configurationReader)
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadInternal()
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
docker-demo-1  |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
docker-demo-1  |    at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
docker-demo-1  |    at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)
docker-demo-1  |    at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)
docker-demo-1  |    at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
docker-demo-1  |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
docker-demo-1  |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
docker-demo-1  |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
docker-demo-1  |    at webapi_docker_demo.Program.Main(String[] args) in /src/webapi-docker-demo/Program.cs:line 33

我尝试向其他人授予对我的证书文件夹的读取权限，但我仍然收到错误。

有人可以告诉我我在这里做错了什么或指导我正确的方向。 谢谢