skip to Main Content

I have an mvc app that I’m able to debug (vscode – hitting F5) and call https://localhost:1234/health/status from my windows box – even though I haven’t explicitly set up any certs.

Now I’m trying to make the same call from inside an docker container (host network). I’m getting the following error:

root@b0522cdd5597:/workspaces/test# curl https://host.docker.internal:1234/health/status
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What I’ve Tried

I tried to use the -k (and the –insecure) option in curl. But it gives me this error:

root@b0522cdd5597:/workspaces/test# curl -k https://host.docker.internal:1234/health/status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>

That hasn’t really resolved anything. Presently, I’m reviewing this post to see if I can glean anything:

How to fix "SSL certificate problem: self signed certificate in certificate chain" error?

I don’t want to have to create a self cert if at all possible.

EDIT 1

I opened up a Terminal from inside vscode where my project is running and tried this:

PS C:Usersmesrcwidgetserver> dotnet dev-certs https --check
    
No valid certificate found.
    PS 
PS C:Usersmesrcwidgetserver> dotnet dev-certs https --check --trust
    
No valid certificate found.
    

EDIT 2

I tried to play with IIS Express settings to allow localhost.
Specifically, I did this:

a) launched netsh in command window as admin
b) ran the following command:

netsh>http add urlacl url=https://localhost:1234/ user=everyone

URL reservation successfully added

netsh>

I am able to start visual studio. Start debugging.
In the container I try to curl -k on the localhost, but now i get

 "Failed to connect to localhost port 1234 after 0 ms: connection refused"

I retried with the verbose option in curl and this is what I see:

root@b0522cdd5597:/workspaces/IntegrationTests# curl -kv https://localhost:1234/health/status
    
*   Trying 127.0.0.1:1234...
    
* connect to 127.0.0.1 port 123 failed: Connection refused
    
*   Trying ::1:1234...
    
* Immediate connect fail for ::1: Cannot assign requested address
    
* Failed to connect to localhost port 1234 after 0 ms: Connection refused
    * Closing connection 0
    curl: (7) Failed to connect to localhost port 1234 after 0 ms: Connection refused
    root@b0522cdd5597:/workspaces/IntegrationTests#

To eliminate the ipv6 element, I tried this:

root@b0522cdd5597:/workspaces/IntegrationTests# curl -kv --ipv4 https://localhost:1234/health/status
    
*   Trying 127.0.0.1:1234...
    
* connect to 127.0.0.1 port 1234 failed: Connection refused
    
* Failed to connect to localhost port 1234 after 0 ms: Connection refused
    
* Closing connection 0
    curl: (7) Failed to connect to localhost port 1234 after 0 ms: Connection refused

I tried add another entry in netsh: https://127.0.0.1:1234 but that didn’t fix the problem. I get the same error.

Lastly, I tried to add in netsh just a generic entry like this:

Reserved URL : https://+:1234/
User: Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)

But when I try to start my app in v studio after that, i get a generic error that IIS cannot start.
I have to remove the entry from netsh, and restart vstudio in order to get rid of the error.

Edit 3

as far as editing launchsettings.json, our team uses the following:

{
  "$schema": "http://json.schemastore.org/launchsettings.json",
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:39124/",
      "sslPort": 1234
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "launchUrl": "health/status",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Widget.Server": {
      "commandName": "Project",
      "launchBrowser": true,
      "launchUrl": "https://localhost:1234/health/status",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:1234/"
    }
  }
}

I’m thinking of updating every spot that reads https://localhost:1234 to be https://host.docker.internal:1234.

EDIT 4

This is what I’ve got working so far:
I updated the applicationUrl and the ssLport

{
  "$schema": "http://json.schemastore.org/launchsettings.json",
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:39124/",
      "sslPort": 1234
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "launchUrl": "health/status",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Widget.Server": {
      "commandName": "Project",
      "launchBrowser": true,
      "launchUrl": "https://localhost:1234/health/status",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://host.docker.internal:1234/",
      "sslPort":44398
    }
  }
}

Then I had to update my applicationhost.config:

                <binding protocol="http" bindingInformation="*:39124:localhost" />
                <binding protocol="https" bindingInformation="*:1234:localhost" />                  
                <binding protocol="https" bindingInformation="172.31.32.1:1234:*" />

Added the last binding entry.
172.31.32.1 is the Ipv4 address i get on the host when i do an ipconfig.

Then lastly, I start VS code as admin.
Then I’m able to do this from the container:

 root@b40e84b51354:/workspaces/IntegrationTests# curl -k https://172.31.32.1:1234/health/status

and It returns the results.

2

Answers


  1. The cert issue is being by-passed by -k, the error you are getting is from a web server. I suspect you’re running the app under IIS Express, as that was the only way I could repro this. That would also explain dotnet dev-certs not finding a cert as IIS express uses a different one.

    Side note: If you want to check if you have a self-signed IIS cert here is a PowerShell one-liner:

    Get-ChildItem Cert:CurrentUserRoot | Where-Object FriendlyName -Like *IIS*
    

    For fixing IIS Express handling an alternate host name see Anton’s solution here: Bad Request – Invalid Hostname IIS7 (Edit: better option: https://stackoverflow.com/a/70104414/12567640)

    You can also bypass this issue by running the app with dotnet run instead. That does require using dotnet dev-certs to setup a cert, but then worked for me being called from a container.

    Edit:
    Sorry cited the wrong answerer 🤦‍♂️, but found a better answer anyway
    Updating rnofenko’s answer for the container usage looks like:

    "iisSettings": {
      "windowsAuthentication": false,
      "anonymousAuthentication": true,
      "iisExpress": {
        "applicationUrl": "https://host.docker.internal:44392",
        "httpPort": 51222,
        "sslPort": 44392
      }
    }
    

    Warning:
    Binding to host.docker.internal this way requires running VS as admin.

    Login or Signup to reply.
  2. I know you don’t want to create a self-signed cert and seem satisfied with by-passing. But if you change your mind here is a sample that creates a self-signed cert that supports "localhost" and "host.docker.internal" : https://github.com/NCarlsonMSFT/CertExample

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search