Docker 映像:无法配置 HTTPS 端点。未指定服务器证书,找不到默认的开发者证书

Posted

技术标签:

【中文标题】Docker 映像:无法配置 HTTPS 端点。未指定服务器证书,找不到默认的开发者证书【英文标题】:Docker image: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found 【发布时间】:2020-05-01 18:24:16 【问题描述】:

我正在尝试使用 Docker 容器在 Ubuntu (18.04.3 LTS) 服务器上运行基于 ASP.NET Core 3.1 框架的应用程序。

我创建了以下docker-compose.yml 文件,以便能够在我的服务器上运行nginx-proxyprivate_image_name 图像。显然,nginx-proxy 是一个代理服务器,它将作为代理将来自网络的流量路由到我的其他正在运行的图像。我按照article 进行nginx-proxy 设置。

version: '3.4'
services:

  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certificates:/etc/certificates

  private_image_name:
    image: private_image_name:latest
    container_name: private_image_name
    depends_on:
      - nginx-proxy
    environment:
      - VIRTUAL_HOST=sub.domain-example.com
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+:443;http://+:80
    ports:
      - 51736:80
      - 44344:443
    volumes:
      - storage:/storage
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certificates:/etc/certificates
      - $APPDATA/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
      - $APPDATA/ASP.NET/Https:/root/.aspnet/https:ro
volumes:
  storage:
  certificates:
networks:
  default:
    external:
      name: nginx-proxy
secrets:
  server.cert:
    file: ./server.cert
  server.key:
    file: ./server.key

server.certserver.key 文件都存储在 /etc/certificates 中。这两个文件都是使用以下命令创建的

sudo openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=US/ST=CA/L=SF/O=Docker-demo/CN=app.example.org" -keyout server.key -out server.cert

我尝试通过执行docker-composer up 来运行我的两个图像。但是,nginx-proxy 没有出现任何问题,而 private_image_name 无法运行。以下是我在运行private_image_name 尝试启动时得到的结果

**WARNING**: The APPDATA variable is not set. Defaulting to a blank string.
Recreating private_image ... done
Attaching to private_image
private_image    | crit: Microsoft.AspNetCore.Server.Kestrel[0]
private_image    |       Unable to start Kestrel.
private_image    | System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
private_image    | To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
private_image    | For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
private_image    | Unhandled exception. System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
private_image    | To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
private_image    | For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
private_image    |    at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
private_image    |    at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
private_image    |    at private_image.Program.Main(String[] args) in /src/private_image/Program.cs:line 17
private_image exited with code 139

dotnet dev-certs https --trust 命令仅适用于 Windows 和 macOS。

问题

如何在 Ubuntu 服务器上解决此问题?如何正确地将 SSL 证书附加到 docker 映像?

此外,当我转到 http://server-ip-address 或 http://sub.domain-example.com 时,我会得到

503 服务暂时不可用 nginx/1.17.5

当我转到 https://server-ip-address 或 https://sub.domain-example.com 时,我得到了

无法连接。

【问题讨论】:

【参考方案1】:

一旦您在 nginx 中设置了证书,我认为在 asp.net 核心容器中启用它没有任何意义,因为您的 docker 网络将通过 nginx 对公众可见。

要禁用 Kestrel Https 监听,只需从以下代码中删除 443 端口:

- ASPNETCORE_URLS=https://+:443;http://+:80

替换为:

- ASPNETCORE_URLS=http://+:80

【讨论】:

@user1007074 一旦应用程序配置为使用 https,kestrel Web 服务器需要证书才能使其工作。您可以在此处查看有关此环境变量的文档:docs.microsoft.com/en-us/aspnet/core/fundamentals/host/…【参考方案2】:

就我而言,主要问题是docker-compose.override.yml 文件。 Docker 文件是在 Windows 机器上生成的,因此以下行对于 mac 不正确。

- $APPDATA/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
- $APPDATA/ASP.NET/Https:/root/.aspnet/https:ro

我不得不用以下几行替换它们:

- ~/.aspnet/https:/root/.aspnet/https:ro
- ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro

docker-compose.override.yml 的最终代码有效:

version: '3.4'

services:
  project-api:
    image: project-api
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:443;http://+:80
    ports:
      - "5001:443"
      - "5000:80"
    volumes:
      - ~/.aspnet/https:/root/.aspnet/https:ro
      - ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro

【讨论】:

【参考方案3】:

对于因为类似问题来到这里的人,这帮助我解决了一个问题:

清理开发证书:

dotnet dev-certs https --clean

新建一个

dotnet dev-certs https -t

【讨论】:

此步骤需要手动干预,对于 docker 是不可能的。或者有没有办法自动接受提示? “请求信任HTTPS开发证书。如果之前不信任该证书,将显示确认提示。在提示中单击是以信任该证书。”

以上是关于Docker 映像:无法配置 HTTPS 端点。未指定服务器证书,找不到默认的开发者证书的主要内容,如果未能解决你的问题,请参考以下文章

如何在未配置的 Docker 上为 centos 7 删除/安装 docker 映像

无法配置 HTTPS 端点。未指定服务器证书,找不到默认的开发者证书

SCDF 未获取最新的应用程序 docker 映像

无法运行已在使用的 gitlab docker 映像端口

无法从 docker 映像连接到 HTTPS (443)

Elastic Beanstalk 无法从 DockerHub 拉取 docker 映像