✅ DEV Certificate invalid password for ASP.NET in docker
I'm using docker compose orchestration for my solution containing ASP.NET projects.
I've created a DEV certificate using
dotnet dev-certs https -t -p changeit
The password for the certificate is supposed to be changeit
In the docker-compose-override.yml I've configured the path to the certificate and the password.
The path should be correct; however, the password is not working - I get an exception:
System.Security.Cryptography.CryptographicException: 'The certificate data cannot be read with the provided password, the password may be incorrect.'When trying to check the certificates password using
openssl, I also get an invalid password error.
Input: openssl pkcs12 -in GrpcServer.pfx -noout
Output: Mac verify error: invalid password?
Might be because I'm using the command incorrectly, but still... in both cases it is incorrect.
What am I doing wrong?83 Replies
@denis.akopyan It seems the flag --trust isn't supported on Linux:
- https://learn.microsoft.com/en-us/aspnet/core/security/docker-compose-https?view=aspnetcore-7.0#macos-or-linux
Check https://learn.microsoft.com/en-gb/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio%2Clinux-ubuntu#ubuntu-trust-the-certificate-for-service-to-service-communication-1
I read that line multiple times in the msdocs and it never occurred to me
I suppose I have to add those entries to my dockerfile, I will try, thank you!
Not sure what I'm doing wrong, but it seems that the referenced Dockerfile by the docker-compose is not being executed?
@head0nf1re any ideas?
Probably this:
- https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-7.0#listenoptionsusehttps
If any issues pop up, see this thread:
- https://github.com/dotnet/AspNetCore.Docs/issues/6199
Absolutely no progress, is there a working project I can refer to as an example? https://github.com/hailstorm75/GrpcDocker-Experiment is what I'm trying to deploy via docker
GitHub
GitHub - hailstorm75/GrpcDocker-Experiment: Attempt to deploy gRPC ...
Attempt to deploy gRPC via Docker. Contribute to hailstorm75/GrpcDocker-Experiment development by creating an account on GitHub.
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Multiple
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Yes, that I know. The first step is to make this work in a developer environment
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Yeah, I think you already pointed me to that fact in an older thread. However, I'm still fighting to get the dev cert to work. At some point I was able to access the container and successfully send messsage. But I could only run the docker-compose from VS, but not Rider - strange
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
man I'm trying everything and anything I find 😄
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Yes, that is what I would expect
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
So, e.g., running via docker run
yeah, I will try
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
I have in a changed version not available on GH
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
I have tried with only one container, and that seemed to state work
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
And I am attempting to add a second to the mix
Will try and come back to you
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Sorry for sounding like a broken record... Just to clarify:
dev-certs generates a certificate for localhost
This certificate can be used only by one container, right?
When there are multiple containers, they would request the same certificate and thus result in a conflict... or?
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Alright
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Here is a simplified example of what I wish to achieve with this experiment
Ofc, I would like to later add a db and so on
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
that sucks
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
If you wish we can go to VC
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
lol
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
So you generate the cert in the dockerfile
uhuh
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
understood
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
For production, I'd need a real certificate, that I would inject from some certstore + secret store
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
yes, I see that it is empty
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Is that something I should do for a production certificate? - define multiple DNS's or I should use individual certs for each app?
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
call the LE (let's encrupt) api every X in a while (like every 30/60 days)this is concerning, can it be automated? The end goal, is to develop an application that will be deployed on-premises of multiple customers
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Or, if the app will be running on-premise, I could say screw it and run on HTTP
I will look it up
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
yes, completely on-premises. Most likely on some crappy workstation
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Great load of questions I do not have many answers for, this is all in discussion rn
So the plan is to start on-premise
And be ready for a cloud solution
If and when a client, or higher management decides to use a cloud solution, the ground-work would already be done and we simply deploy, e.g. via K8
If this sounds like total bs, please feel free to let me know
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
That sounds very reasonable
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
For the machine hosting the server and any other possible web applications, databases, cache's, yes
For machines connecting to the server, the target artifact is not docker - the application will be installed probably via a classic windows installer
The delivery pipeline is not yet defined. So far we've been doing a manual installation - technician comes in, and installs everything for the client
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
like k8 or openshift
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
I'd assume the goto orchestrator would be K8
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
since it is supported by both Azure, AWS, DigitalOcean...
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
right...
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
A client, separate application from the server.
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Yeah, for example
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Hmm... maybe I mix up the terms
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Yes, then it is a blazor server, that is also a client consuming data from the gRPC server
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Maybe I'm overthinking this? And it is best to just focus on developing an on-premise solution. And later add the necessary details for the cloud deployment?
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
So same story
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Looks like I will have to clarify many more things before I can move forward... Thanks a ton for your insight