Open Closed

Untrusted Root error when running Abp Commercial via Docker Compose #4783


User avatar
0
duyan11110 created
  • ABP Framework version: 7.0.3
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) System.Net.Security.SslStream.ForceAuthenticationAsync(bool receiveFirst, byte[] reAuthenticationData, CancellationToken cancellationToken) System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, bool async, Stream stream, CancellationToken cancellationToken) HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, bool async, Stream stream, CancellationToken cancellationToken) System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, bool async, CancellationToken cancellationToken) System.Threading.Tasks.ValueTask.get_Result() System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, bool async, CancellationToken cancellationToken) System.Threading.Tasks.ValueTask.get_Result() System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem) System.Threading.Tasks.TaskCompletionSourceWithCancellation.WaitWithCancellationAsync(CancellationToken cancellationToken) System.Threading.Tasks.ValueTask.get_Result() System.Net.Http.HttpConnectionPool+HttpConnectionWaiter.WaitForConnectionAsync(bool async, CancellationToken requestCancellationToken) System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, bool async, bool doRequestAuth, CancellationToken cancellationToken) System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, bool async, CancellationToken cancellationToken) System.Threading.Tasks.ValueTask.get_Result() System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, bool async, CancellationToken cancellationToken) Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.g__Core|5_0(HttpRequestMessage request, CancellationToken cancellationToken) Microsoft.Extensions.Http.PolicyHttpMessageHandler.SendCoreAsync(HttpRequestMessage request, Context context, CancellationToken cancellationToken) Polly.Retry.AsyncRetryEngine.ImplementationAsync(Func&lt;Context, CancellationToken, Task> action, Context context, CancellationToken cancellationToken, ExceptionPredicates shouldRetryExceptionPredicates, ResultPredicates shouldRetryResultPredicates, Func&lt;DelegateResult, TimeSpan, int, Context, Task> onRetryAsync, int permittedRetryCount, IEnumerable sleepDurationsEnumerable, Func&lt;int, DelegateResult, Context, TimeSpan> sleepDurationProvider, bool continueOnCapturedContext) Polly.AsyncPolicy.ExecuteAsync(Func&lt;Context, CancellationToken, Task> action, Context context, CancellationToken cancellationToken, bool continueOnCapturedContext) Microsoft.Extensions.Http.PolicyHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.g__Core|5_0(HttpRequestMessage request, CancellationToken cancellationToken) System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, bool disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) Volo.Abp.Http.Client.ClientProxying.ClientProxyBase.RequestAsync(ClientProxyRequestContext requestContext) AbpRemoteCallException: An error occurred during the ABP remote HTTP request. (The SSL connection could not be established, see inner exception.) See the inner exception for details. Volo.Abp.Http.Client.ClientProxying.ClientProxyBase.RequestAsync(ClientProxyRequestContext requestContext) Volo.Abp.Http.Client.ClientProxying.ClientProxyBase.RequestAsync(ClientProxyRequestContext requestContext) Volo.Abp.Http.Client.ClientProxying.ClientProxyBase.RequestAsync(string methodName, ClientProxyRequestTypeValue arguments) Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ClientProxies.AbpApplicationConfigurationClientProxy.GetAsync(ApplicationConfigurationRequestOptions options) Volo.Abp.AspNetCore.Mvc.Client.MvcCachedApplicationConfigurationClient.GetRemoteConfigurationAsync() Volo.Abp.AspNetCore.Mvc.Client.MvcCachedApplicationConfigurationClient.b__16_0() Volo.Abp.Caching.DistributedCache&lt;TCacheItem, TCacheKey>.GetOrAddAsync(TCacheKey key, Func&lt;Task> factory, Func optionsFactory, Nullable hideErrors, bool considerUow, CancellationToken token) Volo.Abp.AspNetCore.Mvc.Client.MvcCachedApplicationConfigurationClient.GetAsync() Volo.Abp.AspNetCore.Mvc.Client.RemoteLanguageProvider.GetLanguagesAsync() Microsoft.AspNetCore.RequestLocalization.DefaultAbpRequestLocalizationOptionsProvider.GetLocalizationOptionsAsync() Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) Microsoft.AspNetCore.Builder.UseMiddlewareExtensions+<>c__DisplayClass6_1+<b__1>d.MoveNext() Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
  • Steps to reproduce the issue:"
  • Docker compose file:
    version: '3.4'

services:
mydomain.authserver:
environment:
\- ASPNETCORE\_ENVIRONMENT=Development
\- ASPNETCORE\_URLS=https://\+:7000
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Path=/https/mydomain\.authserver\.pfx
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Password=
ports:
\- "7000:7000"
volumes:
\- \~/\.aspnet/https:/https:ro
\- $\{APPDATA\}/Microsoft/UserSecrets:/root/\.microsoft/usersecrets:ro

mydomain.web:
environment:
\- ASPNETCORE\_ENVIRONMENT=Development
\- ASPNETCORE\_URLS=https://\+:7004
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Path=/https/mydomain\.web\.pfx
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Password=
ports:
\- "7004:7004"
volumes:
\- \~/\.aspnet/https:/https:ro
\- $\{APPDATA\}/Microsoft/UserSecrets:/root/\.microsoft/usersecrets:ro

mydomain.webgateway:
environment:
\- ASPNETCORE\_ENVIRONMENT=Development
\- ASPNETCORE\_URLS=https://\+:7500
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Path=/https/mydomain\.webgateway\.pfx
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Password=
ports:
\- "7500:7500"
volumes:
\- \~/\.aspnet/https:/https:ro
\- $\{APPDATA\}/Microsoft/UserSecrets:/root/\.microsoft/usersecrets:ro

appsettings.json for Web project

{
"App": {
"SelfUrl": "[https://mydomain.web:7004"](https://mydomain.web:7004%22)
},
"AuthServer": {
"Authority": "[https://mydomain.authserver:7000"](https://mydomain.authserver:7000%22),
"RequireHttpsMetadata": "true",
"ClientId": "Web.Docker",
"ClientSecret": "1q2w3e\*",
"IsOnK8s": "false",
"MetaAddress": "[https://mydomain.authserver:7000"](https://mydomain.authserver:7000%22)
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "\*",
"RemoteServices": {
"Default": {
"BaseUrl": "https:/mydomain.webgateway:7500"
}
}
}

I tried to add above pfx files to Trusted Root on my machine and the guide here: https://ubuntu.com/server/docs/security-trust-store but it didn't work. Pls help


9 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Did you generate the pfx files?

    Use dotnet dev-certs https -v -ep my-file.pfx -p MY_PASSWORD -t command to generate a pfx file under a folder. Then you can mount this file with path.

    Template has a sample for it that generates after using etc/docker/run-docker.sh script. You can also compare generated docker-compose file to see how it is volumed and mounted.

    Edit For linux, pfx is problematic as far as i know. You can use OpenSSL to generate self-signed certificate.

  • User Avatar
    0
    duyan11110 created

    I already generated pfx file with this command: New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "mydomain.webgateway" -FriendlyName "mydomain.webgateway" -NotAfter (Get-Date).AddYears(10) (because the URL is not localhost, they are container names instead), added to Trusted Root Certification Authorities on Local Machine and mounted successfully, but the error still occurs.

    For linux, pfx is problematic as far as i know. You can use OpenSSL to generate self-signed certificate.

    Do you mean linux for host or container? I use Windows host but linux container. Do I have to use OpenSSL to generate certificate? If yes, how to use that certificate in docker-compose file?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    You can not generate SSL for containers, they need to be DNS. If you are already mapping the host names to ip address (like usings hosts file in windows), you can generate SSL certificate for them.

    However I can not see how you have mapped the volume. If you have generated the file, just keep it in a folder and mount the file. That should work for kestrel environment variable.

  • User Avatar
    0
    duyan11110 created

    I used host file to map like this: 127.0.0.1 mydomain.webgateway As you can see in my docker compose file:

    volumes:
    - ~/.aspnet/https:/https:ro
    

    Is that correct way to map certificate file? I can see all mapped pfx files in https folder of the container.

  • User Avatar
    0
    duyan11110 created

    Any update, pls?

  • User Avatar
    0
    duyan11110 created

    Hi,

    No more information?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    This is not related to ABP but docker compose volume mounting.

    I also can't understand the escape characters:

    \- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Path=/https/mydomain\.authserver\.pfx

    Do you really need to escape the _ and . characters in the yaml file? I remember running docker-compose file in CentOS but I don't remember using any escape characters.

    My suggestion is creating a cert folder inside your solution and generate your pfx files under it and mount that first. After seeing it successfuly works, you can alter the path. You can create a new tiered application in version 7.1 and check the template docker-compose file as a sample.

    Since this is a generic question about docker-compose volume mounting; you can also ask it on StackOverflow aswell to reach a wider audiance since we have limited knowledge on third party tools.

  • User Avatar
    0
    duyan11110 created

    The escape character is added automatically when I copy and paste and then format it with code block. I saw the docker compose file of application template, it's the same as the one I created for microservice template. The problem is I can't trust the self-sign certificate which generated for each service domain name. Could you pls try to create a test app based on microservice template and configure docker compose for it to reproduce my issue?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Trusting the self-sign certificate needs to be done in the server it is running at and unfortunatelly It is not something that i can do.

    You can try OpenSSL to generate and trust the certificate as documented in https://learn.microsoft.com/en-us/dotnet/core/additional-tools/self-signed-certificates-guide#with-openssl

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11