Self-Signed CA not accessible via X509Store

Question

I am running dotnet core 2.1 using LINUX container in Win10 machine and I have created a self signed CA using openssl and installed in docker machine. Docker output shows that the CA has been added.

And when I run below command it also shows me the installed certificate

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

But, the installed certificate is not accessible via X509Store

Below code shows count : 0

 using (var store = new X509Store(StoreName.CertificateAuthority, StoreLocation.LocalMachine))
            {
                store.Open(OpenFlags.ReadOnly);
                Console.WriteLine($"LocalMachine-> CertificateAuthority-> Count: {store.Certificates.Count}");
                foreach (var cert in store.Certificates)
                {
                    Console.WriteLine($"cert: {cert}");
                }
            }

Below code shows count : 151

  using (var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
            {
                store.Open(OpenFlags.ReadOnly);
                Console.WriteLine($"LocalMachine-> Root-> Count: {store.Certificates.Count}");

                foreach (var cert in store.Certificates)
                {
                    Console.WriteLine($"cert: {cert.IssuerName.Name}");
                }
            }

But I think it should be 152.

here is my docker file

FROM microsoft/dotnet:2.1-runtime AS base
WORKDIR /app

FROM microsoft/dotnet:2.1-sdk AS build
WORKDIR /src
COPY TestWebApp1/TestWebApp1.csproj TestWebApp1/
RUN dotnet restore TestWebApp1/TestWebApp1.csproj
COPY . .
WORKDIR /src/TestWebApp1
RUN dotnet build TestWebApp1.csproj -c Release -o /app

FROM build AS publish
RUN dotnet publish TestWebApp1.csproj -c Release -o /app 
RUN ls -l
RUN ls certificate/ 


COPY TestWebApp1/certificate/ca.crt /usr/share/ca-certificates/ca.crt
RUN echo ca.crt >> /etc/ca-certificates.conf 

RUN ls /usr/local/share/ca-certificates/
RUN dpkg-reconfigure -p critical ca-certificates
RUN update-ca-certificates 
RUN awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

FROM base AS final
WORKDIR /app
COPY --from=publish /app .
ENTRYPOINT ["dotnet", "TestWebApp1.dll"]

Any help would be appreciated.

Thanks in advance.

score 3 · Accepted Answer · answered Aug 01 '18 at 06:45

3

This seems due to the multi-stage Dockerfile.

You have installed the certificates in the publish image, but not in the final image. Also, base doesn't include the newly installed certificates.

I would suggest to

either manually copy the certificates from the publish image to the final image
or perform the dpkg-reconfigure ... update-ca-certificates during the final stage
or install the certificates in the base image

My preference would be option 1.

answered Aug 01 '18 at 06:45

gesellix

3,024
28
31

Hi @gesellix I have added COPY --from=publish /usr/local/share/ca-certificates/ca.crt /usr/local/share/ca-certificates/ca.crt RUN dpkg-reconfigure -p critical ca-certificates, but the issue is same still, could please share DockerFile – Ankit Sarkar Aug 01 '18 at 16:33
Does the `RUN awk -v cmd='openssl x509 -noout -subject' ...` command in the `final` image show the desired certificate? – gesellix Aug 01 '18 at 17:03
Why don't you copy the `/etc/ssl/certs/ca-certificates.crt` to the `final ` image? I would expect `COPY --from=publish /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt` in the `final` image. – gesellix Aug 01 '18 at 17:20
Hi @gesellix, when I ran "RUN awk -v cmd" it is showing me the installed certificate. However when i'm trying to connect via httpclient it is showing "Issuer not trusted" – Ankit Sarkar Aug 05 '18 at 00:50
You should check whether the httpclient actually picks up the installed certificate and that it matches the server's certificate authority (see https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify) - I assume you did that already? – gesellix Aug 05 '18 at 22:02
Hi @gesellix UPDATE : I just tried without CA and creating my own self-signed certificate, It did work! Thanks. So yeah I will give you the bounty and will keep you update once CA works! – Ankit Sarkar Aug 06 '18 at 16:42
1

Hi @gesellix UPDATE: I'm able to run with my own CA too! Thanks mate!. – Ankit Sarkar Aug 15 '18 at 13:09
@AnkitSarkar Could you share the DockerFile on how you achieved this? – Adhip Rebello Aug 22 '20 at 13:03

Self-Signed CA not accessible via X509Store

1 Answers1