Reputation: 89
Docker image error The remote certificate is invalid according to the validation procedure on client web-application
I always get the following error on my client WebApp (running as separate Linux docker image port 4443):
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Which is connected to my IdentityServer4 (running as separate Linux docker image port 4444). In the IS4 Startup.cs I create the certificate which the following code:
...
var idpUri = configuration["AppConfig:IdentityProviderUrl"];
var dnsName = new Uri(idpUri).DnsSafeHost;
var cert = new X509Certificate2(Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(),"certificate.pfx")));
var builder = services.AddIdentityServer(options => {
options.IssuerUri = idpUri;
}).AddSigningCredential(cert); //A self-signed PFX certificate located in the root of the IS4 and also copied in de client app used for Kestrel cert.
...
In my client WebApp I inserted the following code to set the authority:
string identityProviderUrl = Configuration.GetValue<string>("AppConfig:IdentityProviderUrl");
services.AddHttpClient(AUTHORIZATION_SERVICE_CLIENT_NAME, client => {
client.BaseAddress = new Uri(identityProviderUrl);
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
});
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options => { //NOTE: I don't know if this is needed
options.Authority = identityProviderUrl;
options.TokenValidationParameters = new TokenValidationParameters {
ValidateAudience = false
};
});
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => {
options.Authority = identityProviderUrl;
options.ClientId = oidcClientId;
options.ClientSecret = oidcClientSecret;
...
});
I think there is something wrong which the certificate I'm creating which are not on both docker images. But the Docker containers are running both with HTTPS, else the won't start at all. What am I missing here?
Let's do it by LetsEncrypt as suggested in the comment below. I download and run this project (src:https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples/ACMECLI) With the following properties set:
public string CaName { get; } = Constants.LetsEncryptStagingName;
public IEnumerable<string> Email { get; } = new string[] { "xxx@gmail.com" };
public bool AcceptTos { get; } = true;
public IEnumerable<string> Dns { get; } = new string[] { "xxx.duckdns.org" };
public (bool enabled, int? timeout) WaitForAuthz { get; } = (true, 300);
public bool Finalize { get; } = true;
public string ExportPfx { get; } = @"c:\tmp\certificate.pfx";
public string ExportPfxPassword { get; } = " ";
But it is still pending, a few days already. When it comes valid I don't know.
Upvotes: 1
Views: 8847
Answers (1)
Reputation: 19971
You can't have a self-signed certificate for HTTPS, instead get a real certificate or you have to add the certificate to the client trusted certificate store.
The problem is that the client does not trust the certificate it received when trying to establish a secure channel.
Using HTTPS internally and properly is best practice between containers.
To support HTTPS in ASP.NET Core , see this article:
Today i also popular to get your certificates form LetsEncrypt. Using them lets you automate the creation of the certificates.
I wrote a blog post about deploying IdentityServer in a container.
Upvotes: 0
Related Questions
- Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
- How to properly install certificates on Docker in ASP.NET Core application?
- Docker image: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found
- Asp.Net Core docker-compose https self signed certificate issue
- Asp.net core SSL could not run in docker container
- Docker CE for Windows - SSL connection could not be established. remote certificate is invalid according to the validation procedure
- Https required for asp.net core in docker
- IdentityServer4 + Docker: The remote certificate is invalid according to the validation procedure
- ASP.NET Core Web API client does not trust self-signed certificate used by the Identity Server instance
- Unable to create a dev certificate for an ASP.NET Core Web App in a Docker container