Local Cluster SSL Certificate invalid trust

0
votes

My local development (5 node) cluster have two stateless services installed. One .Net Core Web Gui service and one .Net Core WebAPI service. Both are configured to use a https endpoint. The certificates are self signed certificates and are added to both trusted root and personal (in both current user and localmachine).

I can access both endpoints using a local browser without getting any certificate errors. It says the connection is secure and the certificates are trusted. So far so good.

But when my Web API services calls my Web Gui service, is says it cannot create a trusted connection.

Why can my local browser create a trusted connection but not the Service running in the local cluster?

Does a Node in a local cluster have it's own Certificate Store?

1
ssl-certificateazure-service-fabric
Can you use ServicePointManager.ServerCertificateValidationCallback to see more information about why the handshake failed?LoekD
Ok, I will try that and get back with the results. ThanksPer B
Looking at the ServerCertificateValidateCallback function showed me that the problem is: System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot But why does the Service report this, and not my Web Browser?Per B
are you using the FQDN (not localhost) to call the service in both cases?LoekD
Yes I do, hostnames are added to the host file.Per B

1 Answers

0
votes

So it turns out that I missed adding the certificates to the machine root and that's what caused the problem.

For local SSL to work, I needed to to add the self signed certificates to: 

localmachine/my
localmachine/root

This lets services call services from within the local cluster.

currentuser/my
currentyser/root

This lets my browsers call my services without ssl errors.

Hope this helps someone else :)