如何允许从本地主机和容器到ASP.NET Core Web API应用程序的HTTPS连接? [英] How to allow HTTPS connections from both localhost and container towards an ASP.NET Core Web API application?
问题描述
我正在尝试将Docker用于现有应用程序,并且遇到以下问题.当API尝试从容器中获取Identity Server元数据时,它将失败,并显示以下内容:
I am trying to use Docker for an existing application and I have the following issue. When the API is trying to get the Identity Server metadata from the container, it fails with the following:
web_api | System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api | ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api | ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
web_api | ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
这确实得到了主机浏览器的确认(Chrome中的证书错误).
This is indeed confirmed by the host browser (certification error in Chrome).
如果我使用localhost而不是host.docker.internal访问相同的元数据,则它将按预期工作.
If I access the same metadata using localhost instead of host.docker.internal, it works as expected.
I have used the instructions from here in order to create and trust a localhost certificate that it is also used by the identity server:
dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p { password here }
dotnet dev-certs https --trust
我假设这些说明仅为本地主机创建证书,但是我试图获得一种适用于host.docker.internal的解决方案.
I assume these instructions create the certificate only for localhost, but I am trying to get a solution that also works for host.docker.internal.
问题::如何允许从本地主机和容器到ASP.NET Core Web API应用程序的HTTPS连接?
Question: How to allow HTTPS connections from both localhost and container towards an ASP.NET Core Web API application?
推荐答案
我认为您是正确的-dotnet dev-certs
仅为localhost
生成证书.据我所知是不可配置的.因此,看来您将必须生成自己的自签名证书并信任它.假设您使用的是Windows,一种方法是使用 Powershell的New-SelfSignedCertificate :
I think you are right - dotnet dev-certs
only generates certs for localhost
. And as far as I can tell is not configurable. So it seems you will have to generate your own self-signed cert and trust it. Assuming you're on Windows, one way to do it is with Powershell's New-SelfSignedCertificate:
#create a SAN cert for both host.docker.internal and localhost
$cert = New-SelfSignedCertificate -DnsName "host.docker.internal", "localhost" -CertStoreLocation cert:\localmachine\my
#export it for docker container to pick up later
$password = ConvertTo-SecureString -String "123123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\https\aspnetapp.pfx -Password $password
# trust it on your host machine
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "TrustedPublisher","LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
假设您为应用程序使用Microsoft提供的基础映像,以提示Kestrel选择新证书,您可能必须
Assuming you use Microsoft-supplied base images for your apps, to hint Kestrel to pick the new cert up you will probably have to run docker like so:
docker pull your_docker_image
docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="123123" -e ASPNETCORE_Kestrel__Certificates__Default__Path=\https\aspnetapp.pfx -v %USERPROFILE%\.aspnet\https:C:\https\ your_docker_image
docker run <your image> --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="123123" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
请注意,我要将证书导出到C:\https
,然后将其安装到容器上.
Note I'm exporting the cert to C:\https
which then gets mounted onto the container.
您可能必须尝试使用路径和域名,但是希望这可以为您提供一个起点.
You might have to play around with paths and domain names but hopefully that gives you a starting point.
OpenSSL 是这里的另一个可能的解决方案,也是跨平台的
OpenSSL is another possible solution here that would be cross-platform as well
UPD 由于Docker机器通常是Linux,因此此答案可能不是一个完整的解决方案.看看我关于同一主题的其他答案-一个人利用OpenSSL执行任务并研究如何嵌入自我签名的证书进入构建时的Docker映像.
UPD Since Docker machines are often Linux, this answer might not be a complete solution. Check out my other answer on the same topic - that one leverages off OpenSSL to perform the task and goes into how to embed self-signed certs into Docker images on build.
这篇关于如何允许从本地主机和容器到ASP.NET Core Web API应用程序的HTTPS连接?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!