1

I need to install the certificate to the personal store of CurrentUser in openshift4 pod. When I run the below code, it throws the error.

private static void InstallCertificate(string cerFileName, string friendlyName)
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            try
            {
                X509Certificate2 certificate = new X509Certificate2(cerFileName, "<<CertificatePassword>>");
                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !string.IsNullOrEmpty(friendlyName))
                {
                    certificate.FriendlyName = friendlyName;
                }
                store.Open(OpenFlags.ReadWrite);
                store.Add(certificate);
            }
            catch (Exception ex)
            {
                Console.WriteLine($"Error in adding cert: {ex.Message}");
            }
            store.Close();
        }

Code is in a .NET 6 console application. This certificate will be used for SSL authentication required for connecting to MQ from OCP4 pod.

Error Message: The X509 certificate could not be added to the store. Error:

System.Security.Cryptography.CryptographicException: The X509 certificate could not be added to the store.
 ---> System.UnauthorizedAccessException: Access to the path '/.dotnet/corefx/cryptography/x509stores/my' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileSystem.CreateDirectory(String fullPath)
   at System.IO.Directory.CreateDirectory(String path)
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.AddCertToStore(ICertificatePal certPal)
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.Add(ICertificatePal certPal)
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.Add(ICertificatePal certPal)
   at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
titan
  • 41
  • 8
  • What is `"/.dotnet/corefx/cryptography/x509stores/my`"? what's in there? is this a valid path in your docker image? or some file mounted from the Por/Deployment? – titou10 Oct 24 '22 at 19:51
  • @titou10: This is the path used by the dotnet core to store the certificate in the personal store of Current User. This is not created by default in the docker image. As soon as you run the above mentioned code snippet, the folder structure gets created with the certificate in it. – titan Oct 25 '22 at 20:04

1 Answers1

1

I was able to resolve the issue using the below steps:

  1. Added the command to create the .dotnet folder only in the dockerfile. (This created the folder .dotnet in the root directory.)
RUN mkdir /.dotnet
  1. Added the below command to provide the permission to root group for the .dotnet folder
RUN chgrp -R 0 /.dotnet && \
    chmod -R g=u /.dotnet

By default the container started in OpenShift gets a random user ID. Therefore images not designed to handle such a random UID will fail with permission errors. Adding the given command to the Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image. Because the container user is always a member of the root group, the container user can read and write these files. The root group does not have any special permissions (unlike the root user) so there are no security concerns with this arrangement.

  1. After adding the above two commands in the dockerfile, the code ran without any issues.

I have collated all the steps that might help others!

titan
  • 41
  • 8
  • 1
    This is buried with other tipson building images in the OCP doc: https://docs.openshift.com/container-platform/4.11/openshift_images/create-images.html#images-create-guide-openshift_create-images – titou10 Oct 26 '22 at 02:05