Reputation: 89
I always get the following error on my client WebApp (running as separate Linux docker image port 4443):
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Which is connected to my IdentityServer4 (running as separate Linux docker image port 4444). In the IS4 Startup.cs I create the certificate which the following code:
...
var idpUri = configuration["AppConfig:IdentityProviderUrl"];
var dnsName = new Uri(idpUri).DnsSafeHost;
var cert = new X509Certificate2(Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(),"certificate.pfx")));
var builder = services.AddIdentityServer(options => {
options.IssuerUri = idpUri;
}).AddSigningCredential(cert); //A self-signed PFX certificate located in the root of the IS4 and also copied in de client app used for Kestrel cert.
...
In my client WebApp I inserted the following code to set the authority:
string identityProviderUrl = Configuration.GetValue<string>("AppConfig:IdentityProviderUrl");
services.AddHttpClient(AUTHORIZATION_SERVICE_CLIENT_NAME, client => {
client.BaseAddress = new Uri(identityProviderUrl);
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
});
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options => { //NOTE: I don't know if this is needed
options.Authority = identityProviderUrl;
options.TokenValidationParameters = new TokenValidationParameters {
ValidateAudience = false
};
});
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => {
options.Authority = identityProviderUrl;
options.ClientId = oidcClientId;
options.ClientSecret = oidcClientSecret;
...
});
I think there is something wrong which the certificate I'm creating which are not on both docker images. But the Docker containers are running both with HTTPS, else the won't start at all. What am I missing here?
Let's do it by LetsEncrypt as suggested in the comment below. I download and run this project (src:https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples/ACMECLI) With the following properties set:
public string CaName { get; } = Constants.LetsEncryptStagingName;
public IEnumerable<string> Email { get; } = new string[] { "[email protected]" };
public bool AcceptTos { get; } = true;
public IEnumerable<string> Dns { get; } = new string[] { "xxx.duckdns.org" };
public (bool enabled, int? timeout) WaitForAuthz { get; } = (true, 300);
public bool Finalize { get; } = true;
public string ExportPfx { get; } = @"c:\tmp\certificate.pfx";
public string ExportPfxPassword { get; } = " ";
But it is still pending, a few days already. When it comes valid I don't know.
Upvotes: 1
Views: 8846
Reputation: 19961
You can't have a self-signed certificate for HTTPS, instead get a real certificate or you have to add the certificate to the client trusted certificate store.
The problem is that the client does not trust the certificate it received when trying to establish a secure channel.
Using HTTPS internally and properly is best practice between containers.
To support HTTPS in ASP.NET Core , see this article:
Today i also popular to get your certificates form LetsEncrypt. Using them lets you automate the creation of the certificates.
I wrote a blog post about deploying IdentityServer in a container.
Upvotes: 0