无法在Azure上的Linux容器中为.net Core Kestral服务器配置HTTPS终结点 [英] Unable to configure HTTPS endpoint for .net Core Kestral Server in Linux Container on Azure
问题描述
我有一个.net core 3应用程序,可以单独运行,也可以在linux容器中运行,并且运行 local/development 很好.然后,我将应用程序安装到Azure管道中的docker映像中.该图像已加载到Azure容器注册表中.
I have a .net core 3 app running locally/development just fine, both on its own and when run in a linux container. I then take the app and have it built into a docker image inside azure pipelines. The image is loaded to azure container registry.
最后,我有一个用于容器的 Azure Web APP (Linux).
Finally, I have an Azure Web APP for Containers (Linux) that uses the image to run.
我在本地设置了docker-compose文件,如下所示:
Locally I have the docker-compose file set up like this:
environment:
- "ASPNETCORE_ENVIRONMENT=Development"
...
- "ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx"
- "ASPNETCORE_Kestrel__Certificates__Default__Password=Your_password123"
volumes:
- ~/.aspnet/https:/https:ro
对于生产,我有以下内容:
For production I have the following:
environment:
- UseInMemoryDatabase=false
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_Kestrel__Certificates__Default__Path=/security/mycert.pfx
- "ASPNETCORE_Kestrel__Certificates__Default__Password=Your_password123"
ports:
- "5000:5000"
- "5001:5001"
volumes:
- fsmount001: /security:/security
- /var/ssl/private:/https
我加载了"mycert"进入azure门户,并将其指纹添加到 WEBSITE_LOAD_CERTIFICATES
I loaded "mycert" into the azure portal and added its thumbprint to the App's configuration settings under WEBSITE_LOAD_CERTIFICATES
我使用Open SSL创建了 mycert 文件,我可以在本地使用它,而kestral会使用它,但会出现警告.
I used Open SSL to create the mycert file and I can use it locally and kestral will use it, but with a warning.
当我使用该图像运行应用程序时,我在docker日志中收到以下错误:
When I run the app with this image I get the following error in the docker logs:
System.InvalidOperationException:无法配置HTTPS端点.未指定服务器证书,并且是默认开发者找不到证书或证书过期...在Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptionslistenOptions,操作1个configureOptions)
System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date ... at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
我尝试了很多加载证书的变体,但无法使它们工作.这是一个仅在生产中发生的问题.
I have tried a lot of variations of loading certs and can not get any of them to work. This is an issue that only happens in production.
我也尝试过:
- 购买了Azure应用证书,并使用了thumbprint.p12文件,例如:
- ASPNETCORE_Kestrel__Certificates__Default__Path=/var/ssl/private/<thumbprint>.p12
- ASPNETCORE_Kestrel__Certificates__Default__Password=""
我没有使用密码,因为当您购买证书时没有设置密码
I used no password because when you buy a cert there is no password set
-
下载了购买的App Cert,并使用open ssl创建了一个密码链接的.pfk文件,并将其作为另一个私钥上载了
Downloaded the purchased App Cert and used open ssl to create a password linked .pfk file and uploaded that as another private key
使用azure文件挂载并上传我的dev cert文件,并从文件挂载中引用它们,例如:
Use azure file mount and upload my dev cert files and reference them from the file mount like:
- ASPNETCORE_Kestrel__Certificates__Default__Path=/security/mycert.com.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password="Your_password123"
volumes:
- fsmount001: /security:/security
完整的docker-compose和azure文件设置
- 这是我定义文件共享的方式:
有一个带有mycert.pfx文件的安全文件夹
There is a security folder with the mycert.pfx file inside it
- 这是我在azure应用程序服务配置中设置文件挂载的方式:
我将安装路径设置为文件共享中的安全文件夹
I set the mount path to be the security folder in my file share
- 这是完整的docker compose文件:
services:
webui:
image: ${DOCKER_REGISTRY-}webui
build:
context: .
dockerfile: src/WebUI/Dockerfile
environment:
- UseInMemoryDatabase=false
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_URLS=https://+:443;http://+:80
- "ConnectionStrings__DefaultConnection=****"
- ASPNETCORE_Kestrel__Certificates__Default__Path=/secure/mycert.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password="Your_password123"
ports:
- "5000:5000"
- "5001:5001"
volumes:
- fsmount001: /secure
- ~/var/ssl/private:/https
restart: always
volumes:
fsmount001:
driver: azure_file
driver_opts:
share_name: st-*****tus
storage_account_name: st********001
DOCKERFILE
有关更多信息,您可以在下面找到我的dockerfile
EDIT 2: DOCKERFILE
for further context you can find my dockerfile below
请注意,我正在使用开源应用程序模板/框架清洁架构.您可以看到我正在尝试使用 docker pull request 作为回购协议基本代码.我的目标是泊坞窗"这个基本框架在azure ci/cd管道中并将其部署到用于容器(linux)的azure Web应用程序
please note that I am using the open source application template/framework cleanarchiecture. You can see that I am trying to use the docker pull request for the repo as the base code. My goal is to "dockerize" this base framework in azure ci/cd pipeline and deploy it to azure web app for containers (linux)
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
ENV ASPNETCORE_URLS=https://+:5001;http://+:5000
WORKDIR /app
EXPOSE 5000 5001 2222
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
RUN curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt install -y nodejs
WORKDIR /src
COPY ["src/WebUI/WebUI.csproj", "src/WebUI/"]
COPY ["src/Application/Application.csproj", "src/Application/"]
COPY ["src/Domain/Domain.csproj", "src/Domain/"]
COPY ["src/Infrastructure/Infrastructure.csproj", "src/Infrastructure/"]
RUN dotnet restore "src/WebUI/WebUI.csproj"
COPY . .
WORKDIR "/src/src/WebUI"
RUN dotnet build "WebUI.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebUI.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "CleanArchitecture.WebUI.dll"]
有人可以帮我弄清楚如何在Linux容器中设置kestral证书吗?
Can someone help me figure out how to set a certificate for kestral inside a Linux container?
预先感谢
推荐答案
您的 docker-compose 文件是否可能在服务 volumes 的定义中存在错误.?
Is it possible that your docker-compose file has an error in the definition of the service volumes?
对于您的服务,您具有以下 docker-compose 片段:
You have the following docker-compose fragment for your service:
environment:
- UseInMemoryDatabase=false
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_Kestrel__Certificates__Default__Path=/security/mycert.pfx
- "ASPNETCORE_Kestrel__Certificates__Default__Password=Your_password123"
ports:
- "5000:5000"
- "5001:5001"
volumes:
- fsmount001: /security:/security
- /var/ssl/private:/https
使用此设置,您尝试创建两个卷.
With this setup you are trying to create two volumes.
一方面,您正在将主机系统中的/var/ssl/private 路径映射到/https 容器目标.它应该可以正常工作.
On one hand, you are mapping the /var/ssl/private path in the host system to the /https container destination. It should work fine.
但是,另一方面,我认为您正在混合命名卷和基于路径映射的卷的语法.
But, on the other hand, I think you are mixing syntax for named volumes and volumes based on path mapping.
对于更新,您尝试使用Azure文件存储安装.然后,您需要修改服务的 volumes 定义,如下所示:
For your update you are trying to use an Azure File storage mount. Then you need to modify your service volumes definition as follows:
environment:
...
ports:
...
volumes:
- fsmount001:/security
- /var/ssl/private:/https
As indicated in the documentation, it is important to understand that the mount path corresponds to the folder inside the container that you want to mount to Azure Storage:
安装路径设置对应于您要安装到Azure存储的容器内的文件夹.将其设置为"/"会将整个容器安装到Azure存储.
The mount path setting corresponds to the folder inside the container that you want to mount to Azure Storage. Setting it to '/' mounts the entire container to Azure Storage.
请注意,在 docker-compose 文件中为 fsmount001 提供的路径与创建挂载时指定的挂载路径相同,/security .
Please, also note that the path provided for fsmount001 in your docker-compose file is the same as the mount path indicated when you created the mount, /security in this case.
使用此设置,您需要配置证书位置,如下所示:
With this setup, you need to configure the certificate location like this:
- ASPNETCORE_Kestrel__Certificates__Default__Path=/security/security/mycert.pfx
第一个/security 用于容器中的路径,第二个
/security 用于将pfx包含在文件共享中的目录.
The first /security for the path in the container, and the second for the directory in which your pfx is included in the file share.
更新
一起查看了 Dockerfile 和 docker-compose 文件后,我认为您的问题可能不是出于实际文件共享的原因,而是因为设置所需的环境变量您的HTTPS在docker容器内不可见,因为它们仅在其构建阶段使用.请参阅此,我认为相关的堆栈溢出问题.
After reviewing your Dockerfile and docker-compose files together, I think your problem could be motivated not for the actual file share, but because the environment variables required to setup your HTTPS are not visible inside the docker container because they are used only in its build phase. Please, see this I think related stack overflow question.
您需要直接在 Dockerfile 中提供此环境信息,或者在 docker-compose 文件中使用 ARG s间接提供此环境信息.
You need to provide this environment information directly in your Dockerfile or indirectly using ARGs in your docker-compose file.
例如,如下修改您的 docker-compose 文件-基本上,更改 args 的 environment 条目:
For example, modify your docker-compose file as follows - basically, change your environmententry for args:
services:
webui:
image: ${DOCKER_REGISTRY-}webui
build:
context: .
dockerfile: src/WebUI/Dockerfile
args:
- UseInMemoryDatabase=false
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_URLS=https://+:443;http://+:80
- ConnectionStrings__DefaultConnection=****
- ASPNETCORE_Kestrel__Certificates__Default__Path=/secure/mycert.pfx
- ASPNETCORE_Kestrel__Certificates__Default__Password="Your_password123"
ports:
- "5000:5000"
- "5001:5001"
volumes:
- fsmount001: /secure
- ~/var/ssl/private:/https
restart: always
volumes:
fsmount001:
driver: azure_file
driver_opts:
share_name: st-*****tus
storage_account_name: st********001
然后他们修改您的 Dockerfile 以读取提供的构建参数:
And them modify your Dockerfile to read the provided build arguments:
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
ARG UseInMemoryDatabase
ENV UseInMemoryDatabase=$UseInMemoryDatabase
ARG ASPNETCORE_ENVIRONMENT
ENV ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT
ARG ASPNETCORE_URLS=https://+:5001;http://+:5000
ENV ASPNETCORE_URLS=$ASPNETCORE_URLS
ARG ConnectionStrings__DefaultConnection
ENV ConnectionStrings__DefaultConnection=$ConnectionStrings__DefaultConnection
ARG ASPNETCORE_Kestrel__Certificates__Default__Path
ENV ASPNETCORE_Kestrel__Certificates__Default__Path=$ASPNETCORE_Kestrel__Certificates__Default__Path
ARG ASPNETCORE_Kestrel__Certificates__Default__Password
ENV ASPNETCORE_Kestrel__Certificates__Default__Password=$ASPNETCORE_Kestrel__Certificates__Default__Password
WORKDIR /app
EXPOSE 5000 5001 2222
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
RUN curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt install -y nodejs
WORKDIR /src
COPY ["src/WebUI/WebUI.csproj", "src/WebUI/"]
COPY ["src/Application/Application.csproj", "src/Application/"]
COPY ["src/Domain/Domain.csproj", "src/Domain/"]
COPY ["src/Infrastructure/Infrastructure.csproj", "src/Infrastructure/"]
RUN dotnet restore "src/WebUI/WebUI.csproj"
COPY . .
WORKDIR "/src/src/WebUI"
RUN dotnet build "WebUI.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebUI.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "CleanArchitecture.WebUI.dll"]
请在您认为适当的时候对其进行修改.特别要注意的是,当应该定义不同的 ARG s和 ENV s时,因为它们是在每个构建阶段确定范围的,因此在下一阶段将不会保留.您可以按原样尝试,也可以在 base 中定义 ARG ,在 final 中定义 ARG s变量,在两个变量中均应可见.
Please, modify it as you consider appropriate. Pay attention especially at the moment in which the different ARGs and ENVs should be defined because they are scoped per build-stage, and will not be preserved in the next stage. You can try as is, or you can define the ARGs in base and the ENVs in final, as one extend from the other the ARGs variables should be visible in both.
这篇关于无法在Azure上的Linux容器中为.net Core Kestral服务器配置HTTPS终结点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
