Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by JovianPilot423

Stack OverflowFrom Stack Overflow

How can I fix the SSL handshake error with client certificates in a .NET 8 Docker container?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

SSL Handshake Error in Docker: .NET 8 and OpenSSL

Issue

I have a .NET 8 application that works fine in a Windows + Visual Studio environment, but when running inside a Docker container, it fails with an SSL handshake error during an HTTPS request using a client certificate. I attempted to resolve this by manually adding the certificate in the Dockerfile with update-ca-certificates, but the issue persists.

Dockerfile

DOCKERFILE
FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
USER root
RUN apt-get update && apt-get install -y ca-certificates

COPY ["InsuranceApi/sosMedecin.crt", "/usr/local/share/ca-certificates/sosMedecin.crt"]
RUN update-ca-certificates

USER $APP_UID
WORKDIR /app
EXPOSE 8080
EXPOSE 8081

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src

COPY ["InsuranceApi/InsuranceApi.csproj", "InsuranceApi/"]
RUN dotnet restore "./InsuranceApi/InsuranceApi.csproj"
COPY . .
WORKDIR "/src/InsuranceApi"
RUN dotnet build "./InsuranceApi.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./InsuranceApi.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app

COPY --from=publish /app/publish .
COPY ["InsuranceApi/sosMedecin.pfx", "/app/publish/sosMedecin.pfx"]

ENTRYPOINT ["dotnet", "InsuranceApi.dll"]

AuthenticationService.cs

CSHARP
public class AuthenticationService
{
    private readonly CertificateOptions _certificateOptions;
    private readonly SsoOptions _ssoOptions;

    public AuthenticationService(IOptions<CertificateOptions> certificateOptions, IOptions<SsoOptions> ssoOptions)
    {
        _certificateOptions = certificateOptions.Value;
        _ssoOptions = ssoOptions.Value;
    }

    public async Task<string?> GetSsoToken()
    {
        string? ssoToken = null;
        HttpClientHandler handler = new HttpClientHandler();

        try
        {
            // Adding client certificate to HttpClientHandler
            handler.ClientCertificates.Add(new X509Certificate2(_certificateOptions.CertificatePath, _certificateOptions.CertificatePassword));

            // Making the HTTP request to get the SSO token
            using (var client = new HttpClient(handler))
            {
                var content = new FormUrlEncodedContent(new[]
                {
                    new KeyValuePair<string, string>("format", "text"),
                    new KeyValuePair<string, string>("username", _ssoOptions.Username),
                    new KeyValuePair<string, string>("password", _ssoOptions.Password),
                    new KeyValuePair<string, string>("submit", "confirm")
                });

                HttpResponseMessage response = await client.PostAsync(_ssoOptions.SsoTokenUrl, content);

                // If response contains the SSO token cookie
                if (response.Headers.Contains("Set-Cookie"))
                {
                    var cookieHeader = response.Headers
                        .GetValues("Set-Cookie")
                        .FirstOrDefault(c => c.StartsWith("SSOV2"));

                    if (!string.IsNullOrEmpty(cookieHeader))
                    {
                        ssoToken = cookieHeader.Split(';')[0].Split('=')[1];
                    }
                    else
                    {
                        throw new ArgumentNullException("Cookie with SSO token was not found.");
                    }
                }
                else
                {
                    throw new ArgumentNullException($"SSO token not found in response.\nResponse: {await response.Content.ReadAsStringAsync()}");
                }
            }
        }
        catch (Exception ex)
        {
            // Log any errors and inner exceptions
            Console.WriteLine($"Unexpected error: {ex.Message}");
            while (ex.InnerException != null)
            {
                Console.WriteLine($"Inner Exception: {ex.InnerException.Message}");
                ex = ex.InnerException;
            }
            throw;
        }

        return ssoToken;
    }
}

I'm looking for guidance on why the SSL handshake fails inside Docker and what steps I can take to resolve this, considering the differences in certificate handling between Windows and Linux/OpenSSL.

1

Comments 0

Answers 3

Views 92

3 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

Below is a list of troubleshooting steps and recommendations to help you resolve the SSL handshake error when running your .NET 8 application in a Docker container:

1. Verify the Certificate Chain

When running on Linux, .NET 8 on Docker uses OpenSSL rather than the Windows certificate store. Ensure that:

  • The CA certificate file (sosMedecin.crt) is in the proper PEM format.
  • The certificate file includes the full chain (all necessary intermediate certificates) so OpenSSL can validate it.
  • The pfx file (sosMedecin.pfx) that contains the client certificate actually includes the private key and is valid.

2. Confirm Installation of CA Certificates

Your Dockerfile installs and updates CA certificates, which is a good first step. Double-check that the certificate is copied to the correct location and that the update is successful. In your Dockerfile you use:

DOCKERFILE
RUN apt-get update && apt-get install -y ca-certificates
COPY ["InsuranceApi/sosMedecin.crt", "/usr/local/share/ca-certificates/sosMedecin.crt"]
RUN update-ca-certificates

Make sure that:

  • The sosMedecin.crt file is in PEM format.
  • Update-ca-certificates reports that the certificate was added (you should see a message like “1 added, 0 removed…”).

3. Validate Client Certificate Loading in Code

When constructing the X509Certificate2 from your pfx file in code, verify that:

  • The pfx file path is correct inside the container.
  • The password provided (_certificateOptions.CertificatePassword) is correct.
  • The certificate loads with its private key (you can check the property Certificate.HasPrivateKey).

For example, you might add some temporary logging:

CSHARP
var clientCert = new X509Certificate2(_certificateOptions.CertificatePath, _certificateOptions.CertificatePassword);
Console.WriteLine($"Certificate loaded. Has Private Key: {clientCert.HasPrivateKey}");
handler.ClientCertificates.Add(clientCert);

4. Consider Custom Server Certificate Validation (for Diagnostics Only)

If the handshake still fails, add a custom validation callback to get more diagnostic details. This should only be done temporarily for troubleshooting:

CSHARP
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
{
    Console.WriteLine($"Errors during certificate validation: {errors}");
    return errors == SslPolicyErrors.None;
};
handler.ClientCertificates.Add(new X509Certificate2(_certificateOptions.CertificatePath, _certificateOptions.CertificatePassword));

Review the logged validation errors to further pinpoint if it’s a chain, hostname, or other configuration issue.

5. Environment-Specific Considerations

Because Linux (and thus your container) relies on OpenSSL, there might be differences from Windows. Some points to check:

  • Ensure that the base image you’re using (mcr.microsoft.com/dotnet/aspnet:8.0) provides a compatible version of OpenSSL.
  • If additional intermediate certificates are needed for your SSO endpoint, include them in your CA bundle or add additional certificate files using the same update method.
  • If you control the SSO endpoint, verify that its certificate chain is complete.

Summary

The error likely stems from a mismatch between how Windows and Linux (using OpenSSL) handle certificate chains. Double-check that your CA certificate file is in the correct format and contains all necessary intermediates. Also, verify that your client certificate (pfx) is loaded correctly, and consider using a custom validation callback to gather more information about where the handshake is failing.

Following these steps should help you isolate and resolve the SSL handshake issues in your Docker container environment.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by CosmicRanger060 1 month ago

0

you maybe need to lower the min allowed ssl protocoll from the docker image with something like this:

DOCKERFILE
USER root
RUN sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' 
  /etc/ssl/openssl.cnf

RUN echo "\n[ssl_configuration]" >> /etc/ssl/openssl.cnf \
  && echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf

RUN echo "\n[tls_system_default]" >> /etc/ssl/openssl.cnf \
  && echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf \
  && echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
#RUN cat -n /etc/ssl/openssl.cnf

USER $APP_UID

No comments yet.

Answer by EtherealAdventurer386 1 month ago

0

We had the same issue about three weeks ago, but we were using a Windows image. C# certificate validation worked outside of Docker, but failed inside the container with an SSL exception. It is not exactly your problem since you are using a Linux container, but it might be very similar. I will write up our solution and hope that it might point you in the right direction.

We were running the Windows container on systems behind proxies. Our problem was that whatever client the container was using for the certificate revocation check (it is not the C# HTTP client!) was not respecting the proxy settings set to Docker and the C# http client, and we got the SSL connection exception.

The simple solution was to set the certificate revocation mode to Offline in our certificate validation callback. No more calls where send out of the container for the certificate revocation check, and the certificate verification worked fine inside the container.

Since we did not want to do that, we had to set the proxy settings to the registry of the container, which fixed the issue. This could be done in the Dockerfile using reg add, but since we are using the same container for different customer systems with different proxies, we had to pass the proxy / no proxy settings during the startup of the container via environment variables, f.e. HTTP_PROXY and NO_PROXY. The C# app then writes these values into the registry during startup, simplified code:

CSHARP
string path = @"Software\Microsoft\Windows\CurrentVersion\Internet Settings";
string httpProxy = Environment.GetEnvironmentVariable("HTTP_PROXY");
string noProxy = Environment.GetEnvironmentVariable("NO_PROXY");

using (RegistryKey key = Registry.CurrentUser.CreateSubKey(path, writable: true))
{
  key.SetValue("ProxyServer", httpProxy, RegistryValueKind.String);
  key.SetValue("ProxyEnable", 1, RegistryValueKind.DWord);
  key.SetValue("MigrateProxy", 1, RegistryValueKind.DWord);
  key.SetValue("ProxyOverride", noProxy, RegistryValueKind.String);
}

Hope this helps and gives you some ideas on what can go wrong, debugging these certificate issues in a container is not straight forward. What helped me is building the certificate chain in the C# code manually and logging all results, and using tools like openssl and the Test-Certificate cmdlet on the command line inside the container to get more results on what exactly goes wrong during the certificate validation.

No comments yet.

Discussion

No comments yet.

Similar Posts

How can I fix 'connection refused' errors between PostgreSQL Citus coordinator and worker containers in Docker?

How can I fix ASP.NET Identity cookie conflicts between two Nginx-hosted ASP.NET apps on one server?

Why does my local OpenAI API call fail with an SSL certificate verify error?