如何在 windows docker 图像中安装 .pfx 证书

How to install .pfx certificate in windows docker image

我有一个使用 identityServer 4 的 .Net Core API,我正在尝试 运行 API 到 Docker Compose (Windows容器)但由于以下异常而无法执行:

Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.

在 google 上花了几个小时后,我发现许多链接首先要安装证书,例如 

dotnet dev-certs https --clean
dotnet dev-certs https --trust

**Docker - certificate not trusted**

     1. Delete the C:\Users{USER}\AppData\Roaming\ASP.NET\Https folder.
     2. Clean the solution. Delete the bin and obj folders. 
     3. Restart the Development tool. Visual Studio Code- 2019

在做完上述所有事情后都面临同样的错误,我是不是做错了什么。

这是docker文件

FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-nanoserver-1809 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
user ContainerAdministrator

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-nanoserver-1809 AS build
WORKDIR /src

COPY ../Certificate/idsrv3test.pfx .

COPY ["Tests-Identity/Tests-Identity.csproj", "Tests-Identity/"]
RUN dotnet restore "Tests-Identity/Tests-Identity.csproj"
COPY . .
WORKDIR "/src/Tests-Identity"
RUN dotnet build "Tests-Identity.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "Tests-Identity.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "Tests-Identity.dll"]

这里是docker-compose.override.yml

version: '3.4'

services:
  tests-identity:
    environment:
       - ASPNETCORE_ENVIRONMENT=Development
       - ASPNETCORE_URLS=https://+:443;http://+:80

    ports:
      - "5000:80"
      - "5001:443"
    volumes:
      - ${APPDATA}/Microsoft/UserSecrets:C:\Users\ContainerUser\AppData\Roaming\Microsoft\UserSecrets:ro
      - ${APPDATA}/ASP.NET/Https:C:\Users\ContainerUser\AppData\Roaming\ASP.NET\Https:ro

穆内尔 根据我的理解,以下命令只会在您 运行 在 IISEXPRESS 下使用您的应用程序时对您有帮助,这绝对不会帮助您,但我的理解是您正在尝试 运行 API 下'Docker Compose' 项目 

dotnet dev-certs https --clean
dotnet dev-certs https --trust

所以首先您需要删除 docker 文件中的管理员容器用户

user ContainerAdministrator

并删除这一行

COPY ../Certificate/idsrv3test.pfx .

之后,在 "X509Certificate2" 中添加以下参数,这将在您的 Certificate.cs 文件中

请试试这个link它一定会对你有很大帮助 https://github.com/dotnet/dotnet-docker/issues/863

轻松使用Dockerfile

FROM ${DOCKER_REGISTRY}dotnet/core/sdk:3.1 AS build
ARG VER

WORKDIR /src
COPY . .
RUN dotnet restore --ignore-failed-sources
RUN dotnet publish -c Release --version-suffix "%VER%" -o /app
RUN dotnet dev-certs https -ep ./server.pfx -p 123

要在 docker 构建过程中将证书(pfx 或其他)安装到 nanoserver 容器中,您需要使用 certoc.exe。 Certoc.exe 是 windows 服务器的一部分,您可以在 c:\windows\system32\certoc.exe 中的任何服务器上找到它。但是,它没有随 nanoserver 一起提供。

这是我用来将 CA 证书安装到受信任的根证书颁发机构(“root”)存储中的 docker 文件的一部分:

RUN MKDIR "\temp"
WORKDIR "/temp"
COPY ["my-ca.cer","/temp"]
COPY ["certoc.exe","/temp"]
USER "ContainerAdministrator"
RUN .\certoc -addstore root "c:\temp\my-ca.cer"
RUN del /f /q .\certoc.exe
RUN del /f /q .\my-ca.cer
USER "ContainerUser"

请注意,我正在以 ContainerAdmin 身份安装证书,但其他一切都以 ContainerUser 身份运行(这是最佳做法)。

您可以调整以上内容以使用 certoc 导入 pfx 文件,使用

USER "ContainerUser"
COPY ["mycert.pfx","/temp"]
RUN .\certoc -ImportPFX -p your_pfx_password_here "My" "c:\temp\mycert.pfx"

将 pfx 导入容器用户的个人(“我的”)存储区。