I have an mvc app that I’m able to debug (vscode – hitting F5) and call https://localhost:1234/health/status from my windows box – even though I haven’t explicitly set up any certs.
Now I’m trying to make the same call from inside an docker container (host network). I’m getting the following error:
root@b0522cdd5597:/workspaces/test# curl https://host.docker.internal:1234/health/status
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
What I’ve Tried
I tried to use the -k (and the –insecure) option in curl. But it gives me this error:
root@b0522cdd5597:/workspaces/test# curl -k https://host.docker.internal:1234/health/status
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
That hasn’t really resolved anything. Presently, I’m reviewing this post to see if I can glean anything:
How to fix "SSL certificate problem: self signed certificate in certificate chain" error?
I don’t want to have to create a self cert if at all possible.
EDIT 1
I opened up a Terminal from inside vscode where my project is running and tried this:
PS C:Usersmesrcwidgetserver> dotnet dev-certs https --check
No valid certificate found.
PS
PS C:Usersmesrcwidgetserver> dotnet dev-certs https --check --trust
No valid certificate found.
EDIT 2
I tried to play with IIS Express settings to allow localhost.
Specifically, I did this:
a) launched netsh in command window as admin
b) ran the following command:
netsh>http add urlacl url=https://localhost:1234/ user=everyone
URL reservation successfully added
netsh>
I am able to start visual studio. Start debugging.
In the container I try to curl -k on the localhost, but now i get
"Failed to connect to localhost port 1234 after 0 ms: connection refused"
I retried with the verbose option in curl and this is what I see:
root@b0522cdd5597:/workspaces/IntegrationTests# curl -kv https://localhost:1234/health/status
* Trying 127.0.0.1:1234...
* connect to 127.0.0.1 port 123 failed: Connection refused
* Trying ::1:1234...
* Immediate connect fail for ::1: Cannot assign requested address
* Failed to connect to localhost port 1234 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 1234 after 0 ms: Connection refused
root@b0522cdd5597:/workspaces/IntegrationTests#
To eliminate the ipv6 element, I tried this:
root@b0522cdd5597:/workspaces/IntegrationTests# curl -kv --ipv4 https://localhost:1234/health/status
* Trying 127.0.0.1:1234...
* connect to 127.0.0.1 port 1234 failed: Connection refused
* Failed to connect to localhost port 1234 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 1234 after 0 ms: Connection refused
I tried add another entry in netsh: https://127.0.0.1:1234 but that didn’t fix the problem. I get the same error.
Lastly, I tried to add in netsh just a generic entry like this:
Reserved URL : https://+:1234/
User: Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
But when I try to start my app in v studio after that, i get a generic error that IIS cannot start.
I have to remove the entry from netsh, and restart vstudio in order to get rid of the error.
Edit 3
as far as editing launchsettings.json, our team uses the following:
{
"$schema": "http://json.schemastore.org/launchsettings.json",
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:39124/",
"sslPort": 1234
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "health/status",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"Widget.Server": {
"commandName": "Project",
"launchBrowser": true,
"launchUrl": "https://localhost:1234/health/status",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://localhost:1234/"
}
}
}
I’m thinking of updating every spot that reads https://localhost:1234 to be https://host.docker.internal:1234.
EDIT 4
This is what I’ve got working so far:
I updated the applicationUrl and the ssLport
{
"$schema": "http://json.schemastore.org/launchsettings.json",
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:39124/",
"sslPort": 1234
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "health/status",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"Widget.Server": {
"commandName": "Project",
"launchBrowser": true,
"launchUrl": "https://localhost:1234/health/status",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://host.docker.internal:1234/",
"sslPort":44398
}
}
}
Then I had to update my applicationhost.config:
<binding protocol="http" bindingInformation="*:39124:localhost" />
<binding protocol="https" bindingInformation="*:1234:localhost" />
<binding protocol="https" bindingInformation="172.31.32.1:1234:*" />
Added the last binding entry.
172.31.32.1 is the Ipv4 address i get on the host when i do an ipconfig.
Then lastly, I start VS code as admin.
Then I’m able to do this from the container:
root@b40e84b51354:/workspaces/IntegrationTests# curl -k https://172.31.32.1:1234/health/status
and It returns the results.
2
Answers
The cert issue is being by-passed by -k, the error you are getting is from a web server. I suspect you’re running the app under IIS Express, as that was the only way I could repro this. That would also explain dotnet dev-certs not finding a cert as IIS express uses a different one.
Side note: If you want to check if you have a self-signed IIS cert here is a PowerShell one-liner:
For fixing IIS Express handling an alternate host name see
Anton’s solution here: Bad Request – Invalid Hostname IIS7(Edit: better option: https://stackoverflow.com/a/70104414/12567640)You can also bypass this issue by running the app with dotnet run instead. That does require using dotnet dev-certs to setup a cert, but then worked for me being called from a container.
Edit:
Sorry cited the wrong answerer 🤦♂️, but found a better answer anyway
Updating rnofenko’s answer for the container usage looks like:
Warning:
Binding to host.docker.internal this way requires running VS as admin.
I know you don’t want to create a self-signed cert and seem satisfied with by-passing. But if you change your mind here is a sample that creates a self-signed cert that supports "localhost" and "host.docker.internal" : https://github.com/NCarlsonMSFT/CertExample