SSL Invalid: PartialChain (docker-compose)

[cypherbuild]

Description

AuthenticationException when attempting to access the admin UI after initial build & run. I can access https://admin-api.skoruba.local/swagger & https://sts.skoruba.local with no SSL errors.

I went through the steps with mkcert for some reason i don't think nginx config is handling the SSL passthrough correctly but I can't put my finger on it.

Admin UI Reproduction

1. Run project with docker-compose debug in vs
2. Navigate to `https://admin.skoruba.local` 

STS UI Reproduction

1. Run project with docker-compose debug in vs
2. Navigate to `https://admin.skoruba.local`
3. Login with default admin credentails
4. Click `IdentityServer Admin` button on NavBar

Relevant parts of the log file

2022-11-23 17:10:46.335 -06:00 [ERR] An unhandled exception has occurred while executing the request.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
 ---> System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it. (localhost:44310)
 ---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
   at NWebsec.AspNetCore.Middleware.Middleware.CspMiddleware.Invoke(HttpContext context)
   at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
   at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
   at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
   at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

[cypherbuild]

I may actually be able to debug this a little more. I also noticed an issue with the dockery-compose debug where the output directory was actually set to .net5.0 instead of 6.0

[cypherbuild]

@skoruba could it be the URL mapping to the identity server within the docker network?

[NickBuckland]

@cypherbuild I have just installed IdentityServer using Docker and am experiencing the exact same issue for https://admin.skoruba.local. Did you manage to resolve it?

BTW thanks for the heads up regarding output directory pointing to .net50 (I could not get docker-compose to run without this fix)

[apetrut]

Hi @cypherbuild ,

Can you confirm how you managed to run the https://sts.skoruba.local with no SSL errors?

I followed the manual from @skoruba but this command line didn't work:

I have manually copied the certificate and .pem file and renamed them. Now the volume in Docker looks like below and still doesn't work:

[albrookesplowman]

@apetrut / @cypherbuild - have either of you managed to find a solution to this problem as I am getting the same problem when running in docker

[albrookesplowman]

It seems to be related to "Unable to obtain configuration from: '/.well-known/openid-configuration'.

[apetrut]

@albrookesplowman I managed to run locally the admin project, by setting the correct certificate path like below:

However sometimes I get the same issues when navigating to the Admin page.

A similar issue has been opened [here]. (https://github.com/skoruba/Duende.IdentityServer.Admin/issues/124#issuecomment-1428544695)

[apetrut]

@albrookesplowman I have tried this approach but it works on my machine only every second run. This change needs to be made in all 3 projects.

Can you confirm it's working on yours as well? Regards.

@skoruba do you have any advice on this one?

[apetrut]

@albrookesplowman regarding this exception: System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it. (localhost:44310)

why is it showing localhost if the SSL certificates for skoruba.local are installed? It shouldn't use localhost anymore.

[albrookesplowman]

@apetrut - my problem was down to the location of the certificates. I had updated the original dockerfile to build with the runtime-deps:7.0-alpine Microsoft image so that I can dramatically reduce the image size. However, in doing this it stuffed up the certificates as apparently Alpine Linux expects the certificates to be in the /etc/ssl/certs/ directory. By simply changing the volume mapping in the docker compose file, it all burst back into life... Don't know if that gives some pointers as to where your problem might be. I also debugged it by using the terminal into the container to check that all the files were where I expected them to be...

[apetrut]

@albrookesplowman so you no longer get errors when you click IdentityServer Admin button on NavBar?

[albrookesplowman]

@apetrut - I get a different problem than before now but at least I can log in.,.. I get a 502 bad gateway error when I click on this button... but this appears to be coming from the nginx proxy.. I will let you know if I find anything

[albrookesplowman]

@apetrut - my bad gateway problem was down the config of the proxy..

I didn't have the vhost.d information configured correctly...

https://stackoverflow.com/questions/48964429/net-core-behind-nginx-returns-502-bad-gateway-after-authentication-by-identitys

[apetrut]

@albrookesplowman So now everything works properly using docker?

[albrookesplowman]

@apetrut - yep.. everything good now

[NickBuckland]

Hi All, I have just tried to follow up on your comments to see if I can resolve my issues, bit no success. I'm back to https://sts.skoruba.local/ works https://admin.skoruba.local/ Error An unhandled exception occurred while processing the request. AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain

I have tried add the certs into cacerts.crt folder I have tried adding the parameters to nginx.conf

Any other suggestions?

@apetrut can you elaborate on how you updated the original dockerfile to build with the runtime-deps:7.0-alpine?

Thanks

[apetrut]

@NickBuckland I can load the admin.skoruba.local but can't load Aministrative page from time to time.

Have you run the following commands?

copy $env:LOCALAPPDATA\mkcert\rootCA-key.pem ./cacerts.pem copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./cacerts.crt

[albrookesplowman]

@NickBuckland - Please find attached a copy of the Dockerfile for the STS identity project for alpine and dotnet 7. The other alterations I needed to make were to the project file to handle the globalization in the alpine images.

<PublishReadyToRun>true</PublishReadyToRun>
<PublishTrimmed>true</PublishTrimmed>
<InvariantGlobalization>false</InvariantGlobalization>

Dockerfile.txt

It brought the images down to about 150MB in size...

You can then make the same changes to the other dockerfiles... Any problems then shout...

[NickBuckland]

Thanks @albrookesplowman so you are saying that I need to update each Dockerfile to pull the alpine image? Unfortunately I'm not very experienced with Docker. There seem to be a lot of changes in the file you provided as opposed to the original file. Would i be able to just update the 'FROM mcr.microsoft.com/dotnet/sdk:7.0-alpine AS build' line or are more config changes required? This is all a bit frustrating when all I want to do is spin-up IdentityServer using DockerCompose :/

[albrookesplowman]

@NickBuckland - you will only need to update the dockerfiles if you want to use alpine .net 7. if you just want to use the docker compose as is then it should all work out of the box. It did for me. I wanted to run .net 7 in smaller containers which is why I modified them.. Sorry if I have confused you further

[albrookesplowman]

@NickBuckland my guess is that your problem is down to where the certs are configured. Can you confirm again where you certificates are being stored on the admin container?

[NickBuckland]

Thanks for your help @albrookesplowman !

The cert is mapped in the DockerCompose file

• './shared/nginx/certs/cacerts.crt:/usr/local/share/ca-certificates/cacerts.crt'

• 

[NickBuckland]

Hmm I have a new error now, I think it is progress :) From the Admin site I see SqlException: Invalid column name 'CoordinateLifetimeWithUserSession'.

This kind-a implies that it its at least trying to contact STS

[albrookesplowman]

@NickBuckland - that looks like a database migration/update problem.... the code is looking for a column that doesn't exist in the database... I think if remember rightly from what I have seen from @skoruba that this came in during the latest release

[NickBuckland]

Ahha!!! Success. I ended-up starting again (now about my 17th attempt) I cloned the source from the repo and it has worked. My previous attempts were using the nuget packages or the VS templates which all failed, one way or another.

Out of morbid curiosity I might try to reverse engineer the working config into my previous solutions to see if I can get those to work. Thanks for your help guys.

[NadeemSadiq]

I tried cloning this project and trying but still seem to get this error. I went through the steps and have all the certificates and I can see the certificates in the containers but still no luck. Anything thing else I can do to test and make sure I haven't messed anything up? I copied the certificate so many times but I still can't seem to get it to work.

[NadeemSadiq]

I got it working. I am working in linux and when i made the mkcert i did ran it as admin but i tried again without admin (cleared everything before testing including the volumes) and retesting it (made sure to restart my browser when making/installing certificates). It works fine for me now.

[skoruba]

@NadeemSadiq - thanks for your feedback on this.