1

Currently in AWS Cloud, we have the HTTPS-SSL terminated at the ALB, I am trying to Forward the HTTS SSL/TLS till the Container.

I can configure the SSL at the Start up

    
    builder.WebHost.ConfigureKestrel(options =>
    {
        options.Listen(IPAddress.Any,5002, listenOptions =>
        {
               listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
                listenOptions.UseHttps(<CERTPATH>, <PASSPHRASE>);
        });
    });

I tried getting the AWS Certificate Manager Cert, using the following code


    var exportCertificateResponse = await acmClient.GetCertificateAsync(new GetCertificateRequest()
    {
        CertificateArn = builder.Configuration["AWS:CertificateArn"],
    });

But this certificate doesn't have the private key, so can't use this directly.

SO I guess I might be using the incorrect type of cert. Appreciate any help

Current dockerfile


FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5002

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["WebApi/WebApi.csproj", "WebApi/"]
RUN dotnet restore "WebApi/WebApi.csproj"
COPY . .
WORKDIR "/src/WebApi"
RUN dotnet build "WebApi.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "WebApi.csproj" -c Release -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebApi.dll"]

Should i just add a self signed cert to the docker?

Venkat S
  • 23
  • 5

1 Answers1

0

The free AWS ACM SSL certificates cannot be used directly in your code. They are only available to attach to load balancers, CloudFront distributions, and API Gateways. If you want to have an SSL certificate on your back-end server you will have to obtain one some other way, such as via Let's Encrypt, or by purchasing one from a SSL certificate company.

If you want to serve the SSL certificate from your backend server instead of the load balancer, you won't be able to use an Application Load Balancer. You will have to switch to a Network Load Balancer configured with TCP Passthrough. Doing this means you will not be able to take advantage of things like path routing and redirect rules that are available in Application Load Balancers.

If you just want to implement end-to-end encryption between the load balancer and your backend server, you could install a self-signed certificate on your backend server, because the load balancer does not do validation of the backend SSL certificate.

Mark B
  • 183,023
  • 24
  • 297
  • 295