.NET Core in Docker, expired SSL CA certificate

1
votes

I have a Docker image, based on the microsoft/dotnet:2.1-runtime image (Linux).

However, since 1/6, the .NET code (and other code) in the container is not able to connect to certain sites that use a COMODO CA certificate.

E.g. the following fails inside the container, due to the expired certificate: curl https://code.jquery.com

Result: curl: (60) SSL certificate problem: certificate has expired

I have tried calling update-ca-certificates inside the container, but that does not change anything.

My desktop browsers somehow have updated the CA certs themselves, but the docker have not.

I don't really need curl to work (that was just a test to show the issue), but I do need my own .NET code to work (which causes similar error). Any ideas how I can force the container to update the CA certs, or make this work somehow? I obviously do not want to skip certificate validation!

1
dockerssl.net-core
are you sure? I just tried john@kona$ docker run --rm -it microsoft/dotnet:2.1-runtime curl https://code.jquery.com <!doctype html> <!--[if IE 7 ]> <html class="no-js ie ie7 lte7 lte8 lte9"> lang="en-US"> <![endif]--> <!--[if IE 8 ]> <html class="no-js ie ie8 lte8 lte9"> lang="en-US"> <![endif]--> <!--[if IE 9 ]> <html class="no-js ie ie9 lte9"> lang="en-US"> <![endif]--> <!--[if (gt IE 9)|!(IE)]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head data-live-domain="codeorigin.jquery.com"> <meta charset="utf-8"> ... - Bhaal22
I'm having exactly the same issue connecting to rabbitmq instance. I can get to it through windows and through chrome - but when deployed to docker based on this image microsoft/dotnet:2.2-sdk it fails to connect. (due to Comodo Root CA Expiring on 5/30/2020). I tried pulling a new image from Microsoft - they have apparently not updated the image. I tried pulling all of the raw certs from the comodo website, copying them over and then running update-ca-certificates with no luck. - eejai42
I tried just that, but today it worked on code.jquery.com. Not sure why. It still did not work on the other failing site (controlled by me), but I found a workaround. I saved the public certificate with all chained CA certs from Chrome, and exported that to my NGINX server to use. Then the docker container can connect properly. - Henrik

1 Answers

0
votes

Not sure if this is the answer. After you update the certificate, updating the docker container image itself. the pseudo commands look like below:

$ docker run -p <port>:<port> <image> bash --name <image name>
root@xxxx <ca-cert folder>: update-ca-certificates

Don't exit out of the container. On the host machine:

$ docker commit <image name>

docker commit will create a new image from the running container.

Theory

Probably you are running update-ca-certificates after you start a container instance. using some steps shared in these answers

This will probably work one time if your docker run commands look something like below

$ docker run -p 8000:80 <image name> bash

and inside the bash, you updated the certificate. This will only run for the lifetime of this container. When this container dies and a new one is created it's created with the same old image (with expired cert).