1

My .net Core app works and connects fine from my host machine.

Once built and run from a docker container it fails with error System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The mongo connection string used mongodb://[email protected]/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false&connectTimeoutMS=3000

I've verified the cert file is in the directory with the rest of my binaries when the app is run using RUN wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem -P /app

I've also tried to install the cert using the dotnet-certificate-tool within the container.

Update: I was able to get the p7b version of the cert to work but it had to be loaded via code. It could not be loaded from the OS cert store.

Improve this question
2
  • Can you use your C# code (without username,pw etc.) that I can use to repro? Also did you follow the code sample from here - docs.aws.amazon.com/documentdb/latest/developerguide/…? Commented Apr 16, 2021 at 21:05
  • 1
    @meet-bhagdev Looks like .Net running under Linux can't load certs from the Linux cert store. In Windows the cert will load from the OS without any special code. In Linux however you have to load it via code. I'll update this once I figure out more Commented Apr 18, 2021 at 14:56

1 Answer 1

Reset to default
1

Same issue using Net core 6 web api deployed to docker Debian GNU/Linux 11 with error message: A timeout occurred after 30000ms selecting a server...tldr;cut;tldr;...Driver.MongoConnectionException: An exception occurred while opening a connection to the server.\n ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain\n...tldr;cut;...

And solved by adding some lines in Dockerfile

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base

# add AWS RDS CA bundle
ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /tmp/rds-ca/aws-rds-ca-bundle.pem
# split the bundle into individual certs (prefixed with xx)
# see http://blog.swwomm.com/2015/02/importing-new-rds-ca-certificate-into.html
RUN cd /tmp/rds-ca && cat aws-rds-ca-bundle.pem|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ""}' \
    && for CERT in /tmp/rds-ca/cert*; do mv $CERT /usr/local/share/ca-certificates/aws-rds-ca-$(basename $CERT).crt; done \
    && rm -rf /tmp/rds-ca \
    && update-ca-certificates

WORKDIR /app
EXPOSE 80
EXPOSE 443
...
...
...
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.