Craftsman at work

I'm Artur Karbone, coding software architect and independent IT consultant and this is my blog about craftsmanship, architecture, distributed systems, management and much more.

.NET Core: Docker and self-signed certificates

To leverage self-signed certificates in Docker you need to pass them somehow. There are multiple ways to do this:

  • via COPY command during image build (considered as a bad practice, since you can't launch the same image in multiple environments now (dev/stag/prod, etc.)
  • create a certificate in the hosting environment and share them with the container via shared volumes
  • keep certificates in some external vault like Azure KeyVault for instance.

Let's spread some light on the second approach:

docker run --rm -it -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=443 -e ASPNETCORE_Kestrel__Certificates__Default__Password="test" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/local-cert-storage/aspnetapp.pfx -v %USERPROFILE%\.aspnet\https:/local-cert-storage/ mygrpc

The certificate created in the previous post now is shared with the docker container via: -v %USERPROFILE%\.aspnet\https:/https/

Not we need to override the default certificate location via the environment variable:

-e ASPNETCORE_Kestrel__Certificates__Default__Path=/local-cert-storage/aspnetapp.pfx

Note: When you try to use *.pfx certificates without passwords or *.cer certificates without private keys, you will get the following error: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

comments powered by Disqus