Docker镜像:无法配置HTTPS端点,未指定服务器证书,找不到默认的开发人员证书

dffbzjpn  于 12个月前  发布在  Docker
关注(0)|答案(3)|浏览(190)

我试图运行一个基于ASP.NET Core 3.1框架的应用程序在Ubuntu(18.04.3 LTS)服务器上使用Docker容器。
我创建了下面的docker-compose.yml文件,以便能够在我的服务器上运行nginx-proxyprivate_image_name映像。显然,nginx-proxy是一个代理服务器,它将成为将来自Web的流量路由到我的其他运行映像的代理。我遵循nginx-proxy设置的article

version: '3.4'
services:

  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certificates:/etc/certificates

  private_image_name:
    image: private_image_name:latest
    container_name: private_image_name
    depends_on:
      - nginx-proxy
    environment:
      - VIRTUAL_HOST=sub.domain-example.com
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+:443;http://+:80
    ports:
      - 51736:80
      - 44344:443
    volumes:
      - storage:/storage
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certificates:/etc/certificates
      - ${APPDATA}/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
      - ${APPDATA}/ASP.NET/Https:/root/.aspnet/https:ro
volumes:
  storage:
  certificates:
networks:
  default:
    external:
      name: nginx-proxy
secrets:
  server.cert:
    file: ./server.cert
  server.key:
    file: ./server.key

字符串
server.certserver.key文件都存储在/etc/certificates中。

sudo openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=US/ST=CA/L=SF/O=Docker-demo/CN=app.example.org" -keyout server.key -out server.cert


我试图通过执行docker-composer up来运行我的两个映像。然而,nginx-proxy没有出现任何问题,而private_image_name无法运行。以下是运行private_image_name尝试启动时的结果

**WARNING**: The APPDATA variable is not set. Defaulting to a blank string.
Recreating private_image ... done
Attaching to private_image
private_image    | crit: Microsoft.AspNetCore.Server.Kestrel[0]
private_image    |       Unable to start Kestrel.
private_image    | System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
private_image    | To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
private_image    | For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
private_image    | Unhandled exception. System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
private_image    | To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
private_image    | For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
private_image    |    at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
private_image    |    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
private_image    |    at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
private_image    |    at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
private_image    |    at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
private_image    |    at private_image.Program.Main(String[] args) in /src/private_image/Program.cs:line 17
private_image exited with code 139


命令dotnet dev-certs https --trust仅适用于Windows和macOS。

问题

如何在Ubuntu服务器上解决这个问题?如何正确地将SSL证书附加到Docker镜像?
另外,当我转到http://server-ip-addresshttp://sub.domain-example.com时,我得到
503 Service Temporarily Unavailable nginx/1.17.5
当我转到https://server-ip-addresshttps://sub.domain-example.com时,
无法连接。

0qx6xfy6

0qx6xfy61#

一旦你在nginx中设置了证书,我认为在asp.net核心容器中启用它是没有意义的,因为你的docker网络将通过nginx对公众可见。
要禁用Kestrel HTTPS侦听,只需从以下代码中删除443端口:

- ASPNETCORE_URLS=https://+:443;http://+:80

字符串
将其改为:

- ASPNETCORE_URLS=http://+:80


.NET 8.0容器引入了一些突破性的变化:
我们还添加了新的ASPNETCORE_HTTP_PORTS环境变量,作为ASPNETCORE_URLS的一个更简单的替代方案。新变量需要一个以字符串分隔的端口号列表,而旧变量需要一个更复杂的语法。
使用旧版WebHost.CreateDefaultBuilder() API构建的应用程序将不遵守新的ASPNETCORE_HTTP_PORTS环境变量。现在ASPNETCORE_URLS不再自动设置,它们将切换到使用默认URL http://localhost:5000,而不是像以前那样使用http://*:80
详细信息:https://learn.microsoft.com/en-us/dotnet/core/compatibility/containers/8.0/aspnet-port

z2acfund

z2acfund2#

在我的情况下,主要问题是与docker-compose.override.yml文件。Docker文件是在Windows机器上生成的,所以下面的行对Mac不正确。

- ${APPDATA}/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
- ${APPDATA}/ASP.NET/Https:/root/.aspnet/https:ro

字符串
我不得不用以下几行替换它们:

- ~/.aspnet/https:/root/.aspnet/https:ro
- ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro


docker-compose.override.yml的最终代码:

version: '3.4'

services:
  project-api:
    image: project-api
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:443;http://+:80
    ports:
      - "5001:443"
      - "5000:80"
    volumes:
      - ~/.aspnet/https:/root/.aspnet/https:ro
      - ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro

bejyjqdl

bejyjqdl3#

对于那些因为类似问题来到这里的人来说,这帮助我解决了一个问题:
清理开发证书:

dotnet dev-certs https --clean

字符串
创建一个新的

dotnet dev-certs https -t

相关问题