0

Example test URL: https://6195.playfabapi.com/swagger. Certificate chain for this site: Starfield etc -> Starfield etc -> Amazon Root CA 1 -> Amazon -> *.playfabapi.com

Windows Server 2019 running a Windows Server 2019 docker container (mcr.microsoft.com/windows/servercore:10.0.17763.973)

PowerShell commands executed on docker container:

Get-ChildItem -path Cert:\* -Recurse | where {$_.Subject –like '*Starfield*'}
(no results)
Get-ChildItem -path Cert:\* -Recurse | where {$_.Subject –like '*Amazon*'}
(No results)
Get-ChildItem -path Cert:\* -Recurse | where {$_.Subject –like '*PlayFab*'}
(No results)
Get-ChildItem -path Cert:\* -Recurse | where {$_.Subject –like '*'}
(About a dozen results, that all seem to be Microsoft-issued certificates)
curl --ssl-reqd --tlsv1.2 https://6195.playfabapi.com/swagger
(Successful json blob)

My Question: Why is the curl command successful? Everything I understand about Docker and certificates and curl says that curl command should fail with a certificate error (likely not trusted or something).

I found a similar but inverted question: SSL certificate verification fails inside docker container on specific server. How do I do the inverse, make the docker container isolated, and force it to validate only on its own certificates?

Paul Gilmore
  • 438
  • 1
  • 5
  • 14
  • I don't want to network-isolate the container as it needs to host connections to the open internet. But I do want to strictly control the list of certificates it validates (or not), independent of the metal machine that the container happens to be running on. – Paul Gilmore Aug 06 '20 at 20:50

1 Answers1

0

curl.exe version 7.71.1 on Windows doesn't yet use the Windows certificate store, but rather an internal certificate store, or an explicit cert file via --cacert option.

Configure cURL to use default system cert store on Windows That suggests that it's possible with the library, but it's not a default option anywhere (for now).

Paul Gilmore
  • 438
  • 1
  • 5
  • 14