ASP.Net Core docker访问serviceA容器中的容器A抛出ssl证书错误 [英] ASP.Net Core docker access serviceA container from serviceB container throws ssl certificate error

问题描述

我正在开发具有微服务架构的Web应用程序.我使用docker和docker-compose运行我的微服务.我想从前端服务访问一个api.但是它总是抛出SSL证书异常，这告诉我发行人没有通过curl验证.我从演示MVC应用程序的HttpClient中收到此错误:根据验证过程，远程证书无效."

I am developing a Web Application with Microservice Architecture. I use docker and docker-compose to run my microservices. I want to access an api from the frontend service. But it always throws SSL certificate exception, whichs tell me that the issuer is not verified from curl. I get this error from the HttpClient in my demo MVC app: "The remote certificate is invalid according to the validation procedure."

我创建了一个用于测试它的演示项目，这是github链接: https://github.com/KriszW/AccessDockerContainersFromEachOtherDemo

I created a demo project for testing it, here is the github link: https://github.com/KriszW/AccessDockerContainersFromEachOtherDemo

我知道问题出在容器内.因为我使用curl进行了测试，并且当我指定--insecure属性时，它可以正常工作.所以我知道容器中的ssl证书有问题.

I know the problem is within the container. Because i tested it with curl, and when i specified the --insecure attribute it worked. So i know that something is bad with the ssl certificates in my containers.

我知道我在API上没有任何问题，因为我是在kestral中运行它们的，而且它们也能正常工作.

I know that i do not have any problem with the APIs, because i run them in kestral and they worked fine as well.

泊坞窗容器或图像有问题.

Something is bad with the docker containers, or images.

非常感谢您的帮助，我真的不知道现在该怎么办，以及如何解决它.

Thanks for your help in advance guys i realy dont know what to do now, and how to solve it.

我也将最新的.Net Core 3.1用于我的Web API和MVC应用.

I use the latest .Net Core 3.1 for my Web APIs and MVC app as well.

推荐答案

这是一种常见情况，即使不是那么简单，也很容易解决.斯科特·汉塞尔曼(Scott Hanselman)关于该主题的帖子，但仍然有用.这将为您提供一些基础背景.

This is a common situation that is fortunately fairly easy to resolve even if it's not that straight-forward. A few years old but still useful is Scott Hanselman's post on the topic. This will give you some underlying background.

您的docker-compose或 docker run 配置将需要为证书和用户密钥文件夹指定卷，以提供SSL证书的密码.这是用于开发的docker-compose.yml的 volumes 部分中通常的样子:

Your docker-compose or docker run configuration will need to specify volumes for both the certificate and for your user secrets folder, in order to supply a password for the SSL cert. Here's what that typically looks like in the volumes section of a docker-compose.yml for development:

  - ${APPDATA}\ASP.NET\Https\:/root/.aspnet/https:ro
  - ${APPDATA}\Microsoft\UserSecrets\:/root/.microsoft/usersecrets:ro

无论是否使用用户密码，都需要使用PFX密钥和证书路径配置Web主机(例如IIS，Kestrel等).请注意卷路径如何与证书路径匹配.Kestrel的配置如下所示:

Whether you use a User Secret or not, you'll want to configure your web host (e.g., IIS, Kestrel, etc) with the PFX key and paths to your cert. Note how the volume path matches the cert path. Kestrel's config looks like this:

Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "/root/.aspnet/https/MyCertificate.pfx",
      "Password": "mypassword12345", // ...

}

使用VS Docker工具进行此操作的直接途径是在Visual Studio中右键单击您的项目，然后添加Docker支持.这将创建DOCKERFILEs，并在您按F5或CTRL + F5时使所有内容运行.弹出打开dockerfile，捕获工具发出的各种 docker 命令以及检查运行中的容器都是熟悉其中一些技巧的有用方法.

One direct route to this with VS Docker tooling is to right-click your project in Visual Studio and Add... Docker support. This will create DOCKERFILEs and get everything running when you hit F5 or CTRL+F5. Popping open the dockerfiles, capturing the various docker commands issued by the tooling, and inspecting running containers are all useful ways to get familiar with some of these types of tricks.

最简单的[ed:第二最简单]事情是使用卷挂载或docker secret将证书从主机的文件系统挂载到您的容器中.当您使用Visual Studio的工具在Docker上运行.net核心应用程序时，它就是这样工作的-dev证书是通过 dotnet dev-certs 生成的，并存储在您的用户目录中.然后将该目录安装到您的容器中，并由asp.net核心应用程序用作SSL证书.

The easiest [ed: second easiest] thing to do would be to use a volume mount or docker secret to mount a certificate from the host machine's filesystem into your containers. This is how it works when you run a .net core application on Docker using Visual Studio's tools - a dev cert is generated via dotnet dev-certs and stored in your user directory. This directory is then mounted into your container and used as the SSL cert by your asp.net core application.

因为该证书是您(请求者)信任的，[ed:并且因为它与所有容器共享]，所以该证书将被视为有效，您将可以使用！

Because the cert is trusted by you (the requestor), [ed: and because it is shared with all containers], the certificate will be considered valid and you'll be good to go!

这篇关于ASP.Net Core docker访问serviceA容器中的容器A抛出ssl证书错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！