Error "Object was not found" on bind Kestrel to https 443 port running inside docker

Question

I have a dotnet core app that that needs to run inside a windows core container and expose 443 port (https)

I passed the certificate to the container, set up the environment variables for user path and password. The application is able to find de certificate but fails with the following error:

crit: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to start Kestrel.
      Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found.

The certificate is a seft-signed certificate for localhost domain.

I try to add the server localhost to the docker container but also didn't work.

It is not a problem with the certificate password or the certificate location because those problems give explicit errors.

Here docker relevant configuration files:

Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base 
WORKDIR /app
EXPOSE 443
VOLUME c:/certificates 
COPY . .

#place to put the https certificate
ENV ASPNETCORE_URLS="https://+:443"
ENV ASPNETCORE_HTTPS_PORT=8243  

ENTRYPOINT ["dotnet", "webApp.dll"]

The docker-compose.yaml file:

version: '3.4' 
services:  
  webApp:
    container_name:  webApp    
    build:
      context: ..\webApp\
      dockerfile: Dockerfile
    volumes:
     - type: bind
       source: d:/certificates
       target: c:/certificates        
    environment:
     - ASPNETCORE_Kestrel__Certificates__Default__Password=somepass
     - ASPNETCORE_Kestrel__Certificates__Default__Path=c:\certificates\servercert.pfx     
    ports:
      - "8243:443"
    extra_hosts:
     - "localhost:127.0.0.1"      
    networks:
       - net
 
networks: 
  net:
    

How to run:

docker-compose run wepApp

The full error stack:

crit: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to start Kestrel.
      Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found.
         at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
         at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
         at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
         at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
         at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadDefaultCert()
         at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
         at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
         at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
         at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Object was not found.
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadDefaultCert()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Backoffice.Program.Main(String[] args) in D:\a\1\s\BackOffice\Program.cs:line 12  

I should be missing something basic once the problem is running DotNet Core on a windows container using https. Nothing out of the ordinary.

Answer 1

Solved by running the container with user ContainerAdministrator

The problem many not surface always, it looks related with the image used. For more information about this issue check github

To set the user on docker-compose.yaml file add:

services:  
   wepApp:
      user:  "ContainerAdministrator"

To set from the command line:

> docker-compose run --user ContainerAdministrator wepApp