Reputation: 1941
Cert error connecting to AWS DocumentDB from Docker C# app
My .net Core app works and connects fine from my host machine.
Once built and run from a docker container it fails with error System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
The mongo connection string used mongodb://[email protected]/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false&connectTimeoutMS=3000
I've verified the cert file is in the directory with the rest of my binaries when the app is run using RUN wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem -P /app
I've also tried to install the cert using the dotnet-certificate-tool within the container.
Update: I was able to get the p7b version of the cert to work but it had to be loaded via code. It could not be loaded from the OS cert store.
Upvotes: 1
Views: 1889
Answers (1)
Reputation: 181
Same issue using Net core 6 web api deployed to docker Debian GNU/Linux 11 with error message: A timeout occurred after 30000ms selecting a server...tldr;cut;tldr;...Driver.MongoConnectionException: An exception occurred while opening a connection to the server.\n ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain\n...tldr;cut;...
And solved by adding some lines in Dockerfile
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
# add AWS RDS CA bundle
ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /tmp/rds-ca/aws-rds-ca-bundle.pem
# split the bundle into individual certs (prefixed with xx)
# see http://blog.swwomm.com/2015/02/importing-new-rds-ca-certificate-into.html
RUN cd /tmp/rds-ca && cat aws-rds-ca-bundle.pem|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ""}' \
&& for CERT in /tmp/rds-ca/cert*; do mv $CERT /usr/local/share/ca-certificates/aws-rds-ca-$(basename $CERT).crt; done \
&& rm -rf /tmp/rds-ca \
&& update-ca-certificates
WORKDIR /app
EXPOSE 80
EXPOSE 443
...
...
...
Upvotes: 1
Related Questions
- Connecting mongoose to AWS documentDB
- Connecting to AWS documentDB using mongoose giving error: 'MongoParseError: option ssl_ca_certs is not supported'
- AWS DocumentDB connection problem with TLS
- Amazon DocumentDB fails to connect with error "SSL peer certificate validation failed"
- Cannot Connect to AWS Database using TLS with Server CA Validation
- A timeout connection to AWS documentDb with ssl enabling
- Connecting to DocumentDB using SSL with the MongoDB C# driver
- Connecting to mongodb in docker
- MongoDB C# Driver 'Remote certificate is invalid'
- MongoDB ssl via C# driver: The remote certificate is invalid according to the validation procedure