How to install root certificate in aspnet:3.0 base image for windows container

Question

I am hosting two windows containers from a Windows 2019 servers and both are running in https. When my Web URL container tried to make a call to the API container. It didn't work and when I got inside the Web container and run the curl command to my API web site and I received the following error.

(77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

I am trying to find out how to import the root certificate to my aspnet:3.0 base image.

Answer 1

This is what I did to get certificates working in my docker container. I import the root certificate as well as the certificate for the application, so take the parts you need.

1. On your host put the certificates (pfx) into a directory and mount it within the container. I will assume you have mounted them on 'C:\certificates' in the container.

2. I pass the certificates as environmental variables so the script can pick them up.

3. Add this script to run when the container starts up:

Import-Module WebAdministration
$webCertificatePath = $ENV:WEB_CERTIFICATE_PATH
$webCertificatePassword = $ENV:WEB_CERTIFICATE_PASSWORD
$rootCertificatePaths = $ENV:ROOT_CERTIFICATE_PATHS
# I don't do anything with this... yet
$intermediateCertificatePaths = $ENV:INTERMEDIATE_CERTIFICATE_PATHS

# Import Root Certificate
# You can stop here if you only want the Root Certificate installed.
Import-Certificate -FilePath $rootCertificatePaths -CertStoreLocation 'Cert:\\LocalMachine\Root'

# Import website certificate
$mypwd = ConvertTo-SecureString -String $webCertificatePassword -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath "$webCertificatePath" -Password $mypwd -CertStoreLocation 'Cert:\LocalMachine\My'
if (-not (Test-Path 'IIS:\SSLBindings\0.0.0.0!443')) {
  $cert | New-Item 'IIS:\SSLBindings\0.0.0.0!443'
}

There are many ways to do this, but you get the idea.