Why I can't call api endpoint from docker

Question

NET 5.0 console app which I want to run in docker container

using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.SignalR.Client;
using System.Net.Http;
using System.Threading;

namespace pi_worker
{
    class Program
    {
        private const string _url = "*server_url*";

        static async Task Main(string[] args)
        {                
            using (HttpClient client = new HttpClient())
            {
                await client.GetAsync($"{_url}/*endpointName*");
            }                     
        }
    }

I'm building my container with dockerfile and commands:

docker build -t worker . docker run worker.

FROM mcr.microsoft.com/dotnet/runtime:5.0

COPY bin/Release/net5.0/publish .

ENTRYPOINT ["dotnet", "pi-worker.dll"]

But for the second command container starts I'm getting this error

Unhandled exception. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at pi_worker.Program.Main(String[] args) in *path_to_project*\pi-worker\pi-worker\Program.cs:line 25
   at pi_worker.Program.<Main>(String[] args)

I tried some google solution but none of them helped

Does this answer your question? [How to fix "The SSL connection could not be established, see inner exception." when trying to download osu! avatar](https://stackoverflow.com/questions/54297514/how-to-fix-the-ssl-connection-could-not-be-established-see-inner-exception-w) — emagers, Apr 20 '22 at 18:14
No I tried `Diego Mauricio Guerrero` and `SeveneduS` answers but nothing changed — Bajo jajo, Apr 20 '22 at 18:29

score 1 · Accepted Answer · answered Apr 20 '22 at 19:50

1

The error message says that your worker in Docker can not recognize an SSL certificate of your server. Because of it, the HTTPS connection can not be established. In order to fix it, you need to somehow add a certificate from your server to the Trusted certificates stored in your docker container. This article may help to do it.

answered Apr 20 '22 at 19:50

GoodboY

299
2
12

When they are creating container they mounting certs in docker container `docker run -v /host/path/to/certs:/container/path/to/certs ` but how can I get `path/to/certs` when cert of my API is on the server – Bajo jajo Apr 20 '22 at 20:01
The server contains the private key of the certificate and you need the public key. The public key can be downloaded via browser. See [this](https://www.esri.com/arcgis-blog/products/bus-analyst/field-mobility/learn-how-to-download-a-ssl-certificate-for-a-secured-portal/) for more details about downloading it from browser. – GoodboY Apr 20 '22 at 20:05
Sorry, the previous comment is not exactly correct. There are no `private or public` keys in those certificates. The certificate is the same on the client and server-side. The thing is that this certificate should be issued by a trusted authority. In order to force your docker container to consider your server as 'trusted', you should copy the certificate from server to the 'Trusted certificates' store. If you can not download it directly from the server, you may download it via browser or other https tools on your host machine – GoodboY Apr 20 '22 at 20:28
It's working! But I have one more question. In my case certificate on my server is valid to 2035 so everytime when my certificate expires I need to repeat these steps? Is there a possibility to automate this process? – Bajo jajo Apr 20 '22 at 20:31
You can add a certificate from the authority, which issues a certificate for your server. Those certificates are validated transitively. So, even if the server`s certificate is expired and you receive a new one, it will still be considered valid as long as the issuer is considered as trusted – GoodboY Apr 21 '22 at 05:15

Why I can't call api endpoint from docker

1 Answers1