How to setup the dev certificate when using Docker in development

[Rick-Anderson]

related #3310 Javier is contact: This needs to go in Enforce HTTPS in an ASP.NET Core The first time you run dotnet after installing the SDK you get this message Successfully installed the ASP.NET Core HTTPS Development Certificate. To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only). For establishing trust on other platforms please refer to the platform specific documentation. For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.

Copied from #3310 We also need to cover how to setup the dev certificate when using Docker in development:

• Create an application on Visual Studio using the MVC template.

• Run the app to ensure its working.

• Add docker support for the application through the tooling.

• Modify the dockerfile to expose the port 443 with EXPOSE 443

• Modify the docker-compose override file to map ports, volumes and environement variables as follows (this will all be unnecessary after docker tooling has support for HTTPS):

  environment:
    - ASPNETCORE_ENVIRONMENT=Development
    - ASPNETCORE_URLS=https://localhost;http://localhost
    - ASPNETCORE_HTTPS_PORT=44349
  ports:
  # Replace the values on the left by the values on your launchSettings.json
    - "51217:80"
    - "44349:443"
  volumes:
    - ${APPDATA}/Microsoft/UserSecrets/:/root/.microsoft/usersecrets
    - ${APPDATA}/ASP.NET/Https:/root/.aspnet/https/

• Export the HTTPS certificate into a PFX file using the dev-certs global tool to %APPDATA%/ASP.NET/Https/<>.pfx using a password of your choice (recommended password new-guid on powershell)

• On your project, open user secrets and add the following configuration keys:

  {
  "Kestrel":{
      "Certificates":{
          "Default":{
              "Path":     "/root/.aspnet/https/<AppName>>.pfx",
              "Password": "<<Your-Password>>"
          }
      }
  }
  }

• Run your application within the container.

• Navigate to the HTTP endpoint on your application

  • You should not see any warning about the HTTPS certificate being invalid.
  • You should be redirected to the HTTPS endpoint automatically.

[kdcllc]

@bilalMlaik you can always generate a local cert yourself and use it with docker per this article: https://mikewilliams.io/net-core-2-1-and-docker-how-to-get-docker-to-recognize-a-local-ssl-certificate-6e637e1e8800

[bilalmalik777]

@kdcllc I am using asp.net core 2.0. I followed instruction as mention in the above-provided link, nothing prove fruitful. When i create sample application from visual studio(it is creating asp.net core 2.1 by default) then https start to work

[bilalmalik777]

@kdcllc I have solved the issue now it is running perfectly over the https. I used the following code .UseKestrel(options => { options.Listen(new System.Net.IPEndPoint(System.Net.IPAddress.Any, 443), listenOptions => { var configuration = (IConfiguration)options.ApplicationServices.GetService(typeof(IConfiguration)); var certPassword = configuration.GetValue<string>("Kestrel:Certificates:Default:Password"); var certPath = configuration.GetValue<string>("Kestrel:Certificates:Default:Path"); var cert = new X509Certificate2(certPath, certPassword); listenOptions.UseHttps(new HttpsConnectionAdapterOptions() { ClientCertificateMode = ClientCertificateMode.NoCertificate, SslProtocols = System.Security.Authentication.SslProtocols.Tls, ServerCertificate = cert }); }); })

[inpicksys]

@bilalMlaik Glad to hear it. UseKestrel -> causes errors. and deployment issues, that blocks me from stable work. As this thread and issues only for dev purposes -> I'm removed https from dev env. Raized CORS & other issues as calls from https to http or from http to https causes stupid time consuming issues. Https set up will be used only on production & with nginx. Spent a week for this. Its not clear & unstable. Not cross-browser & not cross platform. Maybe, in future it will handled, documented & described better. Thanks.

[datvm]

Not sure if it's because it's patched, but I have just created a new ASP.NET Core 2.2 project and I no longer have the certificate problem. And I see the web is running at https://localhost:44335/api/values instead of a local IP (I see no IIS server icon so I guess it's correctly running in Docker, there is a running container). However, I check the port, it says:

0.0.0.0:51595->80/tcp, 0.0.0.0:44335->443/tcp

Is it fixed already?

[phsumi]

Installed Asp.net Core 2.2 today, ran the project wizard with a Linux container. First attempts to run it didn't work, had to restart Docker, which got me one step further to the dialog about the DEV certificate. Ran through those steps to create the certificate and am now getting the dreaded No server certificate was specified, and the default developer certificate could not be found error.

I now created another vanilla solution, and this one ran out of the box, but I can't see a difference to the initial one. I cleared the docker containers and images, restarted VS, still the same. Could there be an issue with some local files I can clean out for the first project?

[ma1f]

describe how to setup a base docker image for dotnet core 2.2 with https & http/2 (no longer appears to be enabled by default) here - https://medium.com/@ma1f/docker-dotnet-3d979f56efe6 key environment settings as follows - no need to setup listener in startup with ports etc.

ENV Kestrel:Certificates:Default:Path=/etc/ssl/private/cert.pfx
ENV Kestrel:Certificates:Default:Password=changeit
ENV Kestrel:Certificates:Default:AllowInvalid=true
ENV Kestrel:EndPointDefaults:Protocols=Http1AndHttp2

[jcoutch]

For anyone pulling their hair out trying to get developer certificates working locally with a Docker container in Visual Studio without having to jump through all these hoops, there's a bug with Visual Studio and/or Kestrel: https://github.com/aspnet/AspNetCore/issues/9528

Visual Studio auto-generates the certificate name based on your project's name, whereas Kestrel is expecting the name to match to your application/assembly name. To work around this, rename your project to match your assembly name, restart Visual Studio, and the certificate will get auto-generated with the correct name in %APPDATA%\ASP.NET\Https, and as long as you're using the default builder for your ASP.NET site (or manually add user secrets to your config builder), Kestrel will happily use the auto-generated developer certificate when running locally.

[killnine]

Thanks, @jcoutch this worked for me. It's a little jankey seeing the full assembly name as the project name in my solution but w/e....

[Rick-Anderson]

@scottaddie are you able to do this in the next 6 weeks or should we assign to the PU?

[n10l]

Easiest workaround, works for me (when creating new project with https and docker support with linux container):

1) From visual studio, while creating new project select checkbox to add Docker Support. Visual studio will cry for Docker Desktop is not running. Ignore that. 2) Next, add Orchestration support in your project and a docker compose will be generated automatically. 3) Now run and access your app with docker ip. Hopefully, everything works if above steps done in sequence.

Note: I am on a Windows 10 Home VM running on Mac inside Parallels. I stopped and removed all the old docker containers before trying this, where I was facing the errors mentioned here.

[scottaddie]

@Rick-Anderson Please assign to PU

[javiercn]

There are docs for this here https://github.com/dotnet/dotnet-docker/blob/master/samples/aspnetapp/aspnetcore-docker-https.md

[javiercn]

@mkArtakMSFT I've already pointed out to the related docs, now sure what you expect from me here. I think this was already discussed on a thread and addressed, but I might be wrong. @danroth27 can confirm.

[mkArtakMSFT]

I see, hadn't read through all this. Should this be closed then? @Rick-Anderson ?

[danroth27]

The content in https://github.com/dotnet/dotnet-docker/blob/master/samples/aspnetapp/aspnetcore-docker-https.md should be part of our official docs. Someone needs to do the work of turning that content into official doc content.

[Rick-Anderson]

I've done that - see https://docs.microsoft.com/en-us/aspnet/core/security/docker-https?view=aspnetcore-2.2 Not sure why this didn't get closed.

[Rick-Anderson]

https://github.com/aspnet/AspNetCore.Docs/pull/13046

[danroth27]

Ah! Cool, sounds good then 😃.

[jorgeolive]

I know this is closed already.. but, does the suggested configuration work with 3.0? I've followed above steps and I am getting a weird docker compose error "Duplicate mount point: /root/.aspnet/https" using the following images:

FROM mcr.microsoft.com/dotnet/core/aspnet:3.0-buster-slim AS base

FROM mcr.microsoft.com/dotnet/core/sdk:3.0-buster AS build

Any help would be greatly appreciated.

Thanks, Jorge.

[javiercn]

Hi.

It looks like you are posting on a closed issue!

We're very likely to lose track of your bug/feedback/question unless you:

1. Open a new issue
2. Explain very clearly what you need help with
3. If you think you have found a bug, include detailed repro steps so that we can investigate the problem

[jnpwly]

@jorgeolive -- kia ora. Did you end up opening a new issue regarding this and whether it works on .NET Core 3.x? I am also having difficulty getting a multi-containerised topology up and running, so it is either "user error" on my part, or possibly something you have already fixed. So, I'm just checking :)

[KevinBurton]

I started with the suggestions Rick-Anderson commented on May 22, 2018 but I am running into 'access denied' when exporting the certificate, for not only the .aspnet path as suggested but what seems to be any path. Ideas on how to get over this hurdle?

[javiercn]

Hi.

It looks like you are posting on a closed issue!

We're very likely to lose track of your bug/feedback/question unless you:

1. Open a new issue
2. Explain very clearly what you need help with
3. If you think you have found a bug, include detailed repro steps so that we can investigate the problem

[bilalmalik777]

i updated my application from 2.2 to 3.1 and facing the following error.It was working perfectly in 2.2 with docker 'error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure'

it was working fine with 2.2 but now facing an error in development mode. i run the following command to generate the dev certificate

dotnet dev-certs https -ep %APPDATA%\ASP.NET\Https\TT.Core.Portal.Web.AzureHybrid.pfx -p password
dotnet dev-certs https --trust
dotnet user-secrets -p TT.Core.Portal.Web.AzureHybrid.csproj set "Kestrel:Certificates:Development:Password" "password"

program.cs

            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseKestrel(options =>
                             {
                                 bool.TryParse(Environment.GetEnvironmentVariable("IsDockerDeployment"), out bool isDockerDeployment);
                                 if (isDockerDeployment)
                                 {
                                     options.Listen(new IPEndPoint(IPAddress.Any, 443), listenOptions =>
                                     {
                                         var configuration = (IConfiguration)options.ApplicationServices.GetService(typeof(IConfiguration));
                                         var certPassword = Environment.GetEnvironmentVariable("ASPNETCORE_Kestrel__Certificates__Development__Password");
                                         var certPath = Environment.GetEnvironmentVariable("ASPNETCORE_Kestrel__Certificates__Development__Path");
                                         Console.WriteLine(certPassword);
                                         Console.WriteLine(certPath);

                                         var certificate = new X509Certificate2(certPath, certPassword);
                                         Console.WriteLine("Certificate provided");
                                         var httpsConnectionAdapterOptions = new HttpsConnectionAdapterOptions()
                                         {
                                             ClientCertificateMode = ClientCertificateMode.NoCertificate,
                                             SslProtocols = System.Security.Authentication.SslProtocols.Tls12,
                                             ServerCertificate = certificate,
                                         };
                                         listenOptions.UseHttps(httpsConnectionAdapterOptions);
                                     });
                                 }
                             });
                    ////webBuilder.UseIIS();
                    webBuilder.UseStartup<Startup>();
                });```

i also declared both environment varibale **ASPNETCORE_Kestrel__Certificates__Development__Password** &&  **ASPNETCORE_Kestrel__Certificates__Development__Path** in the docker compose file.
Please help me to solve this issue

[badrdouah]

one question, can someone please answer, should i use the certficate created by asp.net to enable https for my container on a production server, or the cert-manager ingress tls certificate is enough, there is absolutely nothing about this one the internet, can someone please explain this

[ma1f]

Easiest is to simply use mkcert (https://github.com/FiloSottile/mkcert) to generate any self-signed certificates, using a root cert, then place something like cloudflare in front with flexible SSL, this way you maintain SSL all the way through. Alternatively if your'd rather manage the actual certificates yourself simply set the correct environment variables as detailed in the docker image below and strip out the rootCA/mkcert commands.

Example base docker image

FROM mcr.microsoft.com/dotnet/aspnet:6.0

# update system
RUN apt-get update -y && apt-get upgrade -y

# dotnet specific env vars, default to development environment
ENV ASPNETCORE_ENVIRONMENT=Development
ENV ASPNETCORE_URLS=http://+:80;https://+:443

# dotnet kestrel env vars
ENV Kestrel:Certificates:Default:Path=/etc/ssl/private/cert.pfx
ENV Kestrel:Certificates:Default:Password=changeit
ENV Kestrel:Certificates:Default:AllowInvalid=true
ENV Kestrel:EndPointDefaults:Protocols=Http1AndHttp2

# copy certificate authority certs from local file system
ARG CA_KEY=./devops/Infrastructure.Hosting.HTTP.SSL/rootCA-key.pem
ARG CA_CERT=./devops/Infrastructure.Hosting.HTTP.SSL/rootCA.pem
ARG DOMAINS='localhost 127.0.0.1 ::1'

# default ca cert location (mkcert)
COPY ${CA_KEY} /root/.local/share/mkcert/rootCA-key.pem
COPY ${CA_CERT} /root/.local/share/mkcert/rootCA.pem

# install CA and SSL cert
RUN apt-get install curl -y && \
    curl -L https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 > /usr/local/bin/mkcert && \
    chmod +x /usr/local/bin/mkcert
RUN mkcert -install
RUN mkcert -p12-file /etc/ssl/private/cert.pfx -pkcs12 $DOMAINS

# Install locale
RUN apt-get install locales -y \
    && localedef -f UTF-8 -i en_GB en_GB.UTF-8 \
    && update-locale LANG=en_GB.utf8

ENV LANG=en_GB:en \
    LANGUAGE=en_GB:en \
    LC_ALL=en_GB.UTF-8

WORKDIR /app

EXPOSE 80
EXPOSE 443

Then each application uses this base docker image and overrides the domains if needed

RUN mkcert -p12-file /etc/ssl/private/cert.pfx -pkcs12 localhost ::1 127.0.0.1 mydomain-k8s-alias mydomain.com

As all the correct environment variables are setup, using the default webhost builder is all that is needed.

            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder => {
                    webBuilder.UseStartup<Startup>();
                });