I am aware, self signed cert should be written in docker file etc:
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
WORKDIR /app
COPY <my path>/<cert name>.crt /usr/local/share/ca-certificates/<cert name>.crt
RUN update-ca-certificates
I decided to remove the above mentioned line of codes (line 2 and 3) and intend to install the crt as follows:
In the power shell
docker cp <location of the .crt> <image id>:/usr/local/share/ca-certificates/<filename>.crt
Go to the docker image’s CLI and, in /app, run
update-ca-certificates
And then restart the affected container.
I tried to curl the link. I encounter this error:
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
What are steps I’ve missed? I also have install the .pfx in the trusted root in Windows 10 and the container is running as Linux container.
Also anyone mind sharing how one updates their crt in docker container when the crt is about to expiry?
What’s wrong about embedding the root ca’s certificate into the image?
Container’s are ment to be disposable, as such it does not realy make sense to apply changes to the container - in case of docker-compose or swarm stack deployments, a restart of the container might result in a new container (thus starting from scratch again).
The ca certifcate you copied and applied to the container will work for any linux application that actualy uses the ca-certifcates, like curl or wget, when accessing a https source outside the container - not everything run in linux uses them. If this is your use case, the certificates in windows 10 shouldn’t matter.
One way to keep it updated is to map the crt file into the container (as secret, config or volume) and create an entrypoint-script that takes care of updating the ca certificates before starting the main process.
If you are looking to enable TLS for a service inside your container, it depends on the application inside the container how the key, certificate and/or intermediate certificates need to be configured for it. Though, this would be a whole different topic.