4

What is the correct way for multiple Windows containers running a .net core application to trust each other's HTTPS certificates?

I have the following setup:

  • Container A is running a REST service which is required by Container B
  • Container B calls the REST service with an HttpClient
  • Container B does something with the result

The problem is, that when B calls A, I got a The remote certificate is invalid according to the validation procedure. exception. This is the demo code I use:

var dummy = new HttpClient
{
    BaseAddress = new Uri("https://container-a")
};
var res = await dummy.GetAsync("/api/test-endpoint");

I have no idea and did not find any useful information on how to set up the containers to trust each other. The only solution I found is to override the https trust check and this is, in my opinion, unacceptable.

Alex
  • 1,857
  • 3
  • 36
  • 51
  • You need to add remote certificate you want to trust to Local Machine Trusted CA root as far as I understand – Gregory Suvalian Aug 26 '18 at 16:21
  • How can I do this in the docker container? – Alex Aug 26 '18 at 16:28
  • Shall be part of your dockerfile. Use Powershell `Import-Certificate` cmdlet https://learn.microsoft.com/en-us/powershell/module/pkiclient/import-certificate?view=win10-ps – Gregory Suvalian Aug 26 '18 at 16:32
  • Sorry if this is a stupid question, but I'm quite new to certificates and docker. How would you apply `Import-Certificates` with the default certificates (from .net core template) to the docker containers? – Alex Aug 26 '18 at 19:58
  • 1
    I assume for your environment you are going to use real certificates, so you procure your certs and then use them by importing them into certificate store of local machine. Try it first in windows server core OS and then use the same steps in final `DOCKERFILE` – Gregory Suvalian Aug 26 '18 at 21:54
  • I want to use `Let's encrypt` certificates for production (I use them for my standalone/not containerized applications already). Will all containers share the same certificate or do I need one certificate for each container? I'm not sure about the correct setup for multiple containers and all the tutorials I found, only use one single container. Also, I try to use a gateway API (Ocelot) and service discovery (Consul). The services won't be directly public accessible. I think this might be a problem for the certificate validation, am I right? – Alex Aug 26 '18 at 22:10
  • If you get real certificates and not use self signed certificate then you will not run into this issue at all since root CA of Let's encrypt is in trusted CA already in Windows containers. No additional setup would be needed. It only needed if you plan to use self signed certificates or third party CA – Gregory Suvalian Aug 27 '18 at 00:18
  • 3
    baking certs into an image is, IMO, an anti-pattern. From docs: "You can add certificates into container images with a COPY command in a Dockerfile. This approach is not recommended. It makes it harder to use the same image for testing with dev certificates and hosting with production certificates. There is also a significant risk of certificate disclosure if certificates are made part of container images." - https://github.com/dotnet/dotnet-docker/blob/master/samples/aspnetapp/aspnetcore-docker-https-development.md#certificates – Josh E Feb 14 '19 at 20:51

0 Answers0