I have two asp web api, one for identity server and second for just web api. They are supposed to be run on docker containers.
I generated a self-signed certificate for SSL https connections between containers. So I know that by default it is not trusted and to resolve this issue, I manually add the self-signed certificate to the Trusted Root Certification Authorities.
I also have simple docker-compose.yml
services:
identityserver:
build:
context: .
dockerfile: src/IdentityServer/Dockerfile
entrypoint: /bin/sc -c "update-ca-certificates && dotnet Duende.IdentityServer.dll"
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:7000
- ASPNETCORE_Kestrel__Certificates__Default__Password=*******
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/localhost.pfx
ports:
- "7000:7000"
volumes:
- ./localhost.pfx:/https/localhost.pfx:ro
- ./localhost.crt:/usr/local/share/ca-certificates/localhost.crt:ro
api:
container_name: api
build:
context: .
dockerfile: src/Web.Api/Dockerfile
depends_on:
- identityserver
entrypoint: /bin/sh -c "update-ca-certificates && dotnet Web.Api.dll"
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:7001
- ASPNETCORE_Kestrel__Certificates__Default__Password=*******
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/localhost.pfx
- AUTHENTICATION__AUTHORITY=https://identityserver:7000
- AUTHENTICATION__AUDIENCE=9fc33c2e-dbc1-4d0a-b212-68b9e07b3ba0
ports:
- "7001:7001"
volumes:
- ./localhost.pfx:/https/localhost.pfx:ro
- ./localhost.crt:/usr/local/share/ca-certificates/localhost.crt:ro
api runs on port 7001 and identityserver on 7000. The problem occurs when I attempt to call a protected (authorized) endpoint from api, like: https://api:7001/WeatherForecast. then I have this error:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://identityserver:7000/.well-known/openid-configuration'.
System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://identityserver:7000/.well-known/openid-configuration'.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
but if I open https://identityserver:7000/.well-known/openid-configuration in browser, it works. I'm sure the problem is in the Docker configuration. Maybe you have had such an experience before.