2

I have a .NET Core Web API hosted in Kubernetes as a Pod. It is also exposed as a Service. I have created a Dev SSL certificate and it's produced a aspnetapp.pfx file.

Here is a snippet of my Docker file:

FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base
WORKDIR /app
EXPOSE 443
ENV ASPNETCORE_URLS=https://+:443
ENV ASPNETCORE_HTTPS_PORT=443
ENV ASPNETCORE_Kestrel__Certificates__Default__Password={password}
ENV ASPNETCORE_Kestrel__Certificates__Default__Path=APIGateway/Certificates/aspnetapp.pfx

When I run the app in Kubernetes I receive an error in the container logs, and the container is failing to start:

error:2006D002:BIO routines:BIO_new_file:system lib

I know its able to find the SSL certificate but, its throwing the above error.

Please help!:)

Sach K
  • 591
  • 4
  • 20
  • Hello @Sach K, is your error you included a part of something bigger and looks like in [this question](https://serverfault.com/questions/683637)? Are you using nginx? – Mikołaj Głodziak May 28 '21 at 07:51
  • Hi @MikolajGlodziak I am not using nginx. I'm trying to get SSL working in my .NET Core Web API which is hosted in Kubernetes - Docker Desktop installation. I get this error every time I start the container. – Sach K May 28 '21 at 12:01
  • Try to convert your certificate to .crt format. You can also read this page: https://devblogs.microsoft.com/aspnet/configuring-https-in-asp-net-core-across-different-platforms/ – Mikołaj Głodziak May 28 '21 at 12:18
  • I've read the page however this article mentions that I need to pass the file path to the .pfx file. https://dylanbeattie.net/2020/11/18/using-https-with-kestrel.html – Sach K May 28 '21 at 13:13
  • Now I'm stuck on what the path would be when I'm running in the Linux container. – Sach K May 28 '21 at 13:13
  • Try to mount the certs inside the Docker container and then refer to this path: `docker run -v /host/path/to/certs:/container/path/to/certs -d IMAGE_ID "update-ca-certificates"` Like [this example](https://stackoverflow.com/questions/26028971/docker-container-ssl-certificates) – Mikołaj Głodziak May 28 '21 at 13:28

1 Answers1

2

I just ran into this same problem and even though things were working fine previously, something was updated (possibly .NET 6.0.402) which caused a problem.

What I noticed is that my exported dev cert pfx in the Docker container had it's permissions set to:

-rw------- 1 root    root    2383 Oct 18 14:40 cert.pfx

In my Dockerfile, I export the dotnet dev cert and run a chmod to add read permissions for everyone:

RUN dotnet dev-certs https --clean && dotnet dev-certs https --export-path /app/publish/cert.pfx -p {password}
RUN chmod 644 /app/publish/cert.pfx

This resulted in permissions which were the same as my appsettings files:

-rw-r--r-- 1 root    root     535 Oct 18 14:11 appsettings.Development.json
-rw-r--r-- 1 root    root     331 Sep 27 18:13 appsettings.json
-rw-r--r-- 1 root    root    2383 Oct 18 14:40 cert.pfx

That fixed the error for me.

BearsEars
  • 849
  • 1
  • 13
  • 21