SSL connection could not be established(The remote certificate is invalid according to the validation procedure)

[viveknaragude]

Environment:-
Docker: Windows using Linux containers
OS: Window 10
Microsoft.AspNetCore.App:2.1.1
Microsoft.NETCore.App: 2.10
Docker Image: microsoft/dotnet:2.1-aspnetcore-runtime

Hi ,
I have no idea why this happens but this is an issue that appears when i call webapi hosted in docker container also i follow Hosting ASP.NET Core Images with Docker over HTTPS but not working .

Please help me if i miss anything or fix this issue.

Generate Log:-

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslState.ThrowIfExceptional()
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

[karelz]

Is it happening on the client side?
It looks like there is some invalid certificate. Did you check it?
Are you able to reproduce the same problem with brand new HelloWorld-style app? If not, can you create minimal repro that anyone can try?

cc @bartonjs @wfurt

[bartonjs]

This sounds like dotnet/corefx#32455, which is/will-be fixed in 2.1.6.

In the short term, setting an environment variable SSL_CERT_DIR=/dev/null has a good chance of being a functional workaround.

[viveknaragude]

Not sure happening on which side but its on server side
Brand new HelloWorld-style app working well(Create new webapi using vs2017)
Also try to setting an environment variable SSL_CERT_DIR=/dev/null but not working
2.1.6 image available for docker ?

[karelz]

In that case I think we will need a repro to make further progress. Something we can run locally.
Take your app and try to minimize it. The call stack is from client side, which means you can focus on outgoing requests. Ideally create a repro from console app, without any ASP.NET parts.

[viveknaragude]

Hi @karelz @bartonjs @wfurt
Problem in this code

1.startup.cs(ConfigureServices method))

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.Audience = "aud";
                    options.Authority = "https://demo.identityserver.io:44333";
                    options.TokenValidationParameters.ValidIssuers = "issuers";
                });

2)startup.cs (Configure method)

         app.UseAuthentication();

Actually your Authority url is https and your code is working on Linux container in docker then this Exception is occur is any way to handle this exception (Microsoft.AspNetCore.Authentication)

[karelz]

@viveknaragude do you have a repro we can run locally from any machine?

[karelz]

@viveknaragude ping?

[viveknaragude]

Hi @karelz

Its fix

Actually the case is if your .netcore application hosting on IIS server bind with ssl certificate and on that same machine docker is install and other .detcore application hosting using kestrel server in docker container they access iis hosted application url inside second app like (https:///...) that time error is occur its only happen on Linux container not on windows container.

Solution for me:
Add same certificate(.crt) file used by IIS hosting application in Linux container

[viveknaragude]

@karelz ping?

[wfurt]

I'm not sure that is actual problem @viveknaragude. Unless your app uses certificate signed by somebody trusted by the container you need to establish the trust somehow. If anything that seems like container configuration problem. Do I miss something?

[karelz]

Its fix
Actually the case is if your .netcore application hosting on IIS server bind with ssl certificate and on that same machine docker is install and other .detcore application hosting using kestrel server in docker container they access iis hosted application url inside second app like (https:///...) that time error is occur its only happen on Linux container not on windows container.

I didn't quite understand what you meant here.
Check for configuration errors. If you think it is problem in the platform, please create repro steps from scratch (ideally with minimal dependencies - e.g. no containers, etc.).

[gauravagarwal28]

I am encountering the same issue.

Hi @karelz

Its fix

Actually the case is if your .netcore application hosting on IIS server bind with ssl certificate and on that same machine docker is install and other .detcore application hosting using kestrel server in docker container they access iis hosted application url inside second app like (https:///...) that time error is occur its only happen on Linux container not on windows container.

Solution for me:
Add same certificate(.crt) file used by IIS hosting application in Linux container

However, this fix is not working for me.

[karelz]

There is not enough information to make the issue actionable, closing.
If there is a clear repro for us to look at, feel free to reopen (or create new issue with full details). Thanks!

[ewassef]

Here is a simple repro:

private static readonly HttpClient Client = new HttpClient(new HttpClientHandler { UseCookies = false });
var req = new HttpRequestMessage();
req.RequestUri = new Uri("https://www.cnn.com/");
var response = await Client.SendAsync(req);

This is giving me the same error..