1

I am stuck with getting https client authentification to work with an Asp.Net Core application running in a docker container with Debian. The Asp.Net application works fine on windows with the clients authenticating via certificates.

However, if I run the asp.net app in the docker container some clients won't send any client certificate, cause in the SSL Handshake the Server sends a list of all his trusted root CAs. Then some clients based on .Net 4.0 filter their client certificates so it only contains certificates which are issued by the CAs from this list.

Now my problem is I don't get the root CA installed with the docker Debian system so my root CA is in the list sent by the server.

What I already tried is to add the certificate in my dockerfile with 

ADD ${source:-my_ca_root.crt} /usr/local/share/ca-certificates/my_ca_root.crt
RUN update-ca-certificates

But this doesn't seem to work.

Another option would be to tell the server to not send the certificate trust list, but I couldn't find a solution for this.

The Asp.NET Core app is running with the "Microsoft/aspnetcore:2.0" docker image.

BoeseB
  • 695
  • 4
  • 17
  • You are updating the system root CAs the correct way for Debian. But it may be possible that ASP.net use its own list of CAs rather than system one. You can verify this by removing the `ca-certificates` packages and see what ROOT ca list it sends. If it is blank then we know that root ca needs to be at system level, if not they we need to find what asp.net uses for its root ca – Tarun Lalwani Oct 12 '17 at 07:39
  • So I deleted the file /etc/ssl/certs/ca-certificates.crt and it seems to still send a list. – BoeseB Oct 12 '17 at 07:49
  • According to this https://stackoverflow.com/questions/44159793/trusted-root-certificates-in-dotnet-core-on-linux-rhel-7-1 it uses the root ca from system. Did you run `update-ca-certificates` after deleting certs to confirm? Also see if this relates to the problem https://github.com/dotnet/corefx/issues/16879 – Tarun Lalwani Oct 12 '17 at 07:56
  • Ok i got a connection, what i did was deleting everything in /etc/ssl/certs/ and not add any cert nor run update-ca-certificates i added the line 'RUN rm /etc/ssl/certs/*' to my dockerfile and removed the other two from my question. So why wasn't the list updated with my CA cert before? – BoeseB Oct 12 '17 at 08:06

0 Answers0