Closed carlos-sarmiento closed 1 year ago
Ok, so after more debugging I figured out the issue. Leaving the information here in case others are facing the same problem.
My certificates are signed by a proper CA authority, this means that the client auth cert is signed by an intermediate authority which is itself signed by the root CA. In these kind of circumstances, the client is expected to send to the server the full certificate chain right until the root CA. So in my case, it would be sending both the ClientCertificate and the Intermediate Certificate. With those two, the server can use the root CA to validate the intermediate and then the client and everything would work correctly.
Dotnet does not do that, instead it sends only the Client certificate to the server, signed by the intermediate. Since the server does not have the intermediate cert, it cannot validate the client and therefore rejects the request. This is a known bug on dotnet and it seems to be getting fixed in 8.0
In the meantime, a workaround is to include the intermediate cert on the ca.pem file installed on the Docker server. This way everything can be validated correctly.
Output of
dotnet --info
:What version of Docker.DotNet?:
Steps to reproduce the issue:
docker context update --docker "host=tcp://somedomain.com:2376,ca=ca.pem,cert=server.pem,key=server-key.pem" local-https
curl https://somedomain.com:2376/images/json --cert server.pem --key server-key.pem --cacert ca.pem
openssl pkcs12 -export -inkey server-key.pem -in server.pem -out key.pfx -certfile ca.pem
What actually happened?: When running using Docker.Net it fails with SSL Authentication errors: On the dotnet app:
On the docker host:
What did you expect to happen?: Normal, successful connection
Additional information: