No SSL connection possible when request comes from outside the network

  asp.net, docker, networking, ssl, tcp

I have a very strange error and I cannot find a solution.

I have a RESTful service written with Asp.Net core wich is running in a docker-container on a virtual machine of my university. I want to access the service via an SSL-encrypted connection. So, I got an SSL-certificate for the according domain (studybuddy.hshl.de, not self-signed). As there is another service on port 443 already, I need to map this service to a different port (8080).

This is the according part of the docker-compose.yaml:

  services:
    image: xyz/xyz
    environment:
      - POSTGRESQL_HOST=postgres
      - POSTGRESQL_USER=postgres
      - POSTGRESQL_DATABASE=postgres
      - POSTGRESQL_PASSWORD=secret
      - ASPNETCORE_URLS=https://+:443
      - ASPNETCORE_HTTPS_PORT=443
      - ASPNETCORE_Kestrel__Certificates__Default__Password=secret
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
    ports:
      - 8080:443
    volumes:
      - type: bind
        source: /Users/xyz/.aspnet/https/aspnetapp.pfx
        target: /https/aspnetapp.pfx
    depends_on:
      - postgres

So far so good.

If im connected via VPN to the network in which the server is located everything works fine and I can connect to the url via https://studybuddy.hshl.de:8080.

I can test the connection using the following command:

openssl s_client -crlf -connect studybuddy.hshl.de:8080

The result is as expected:

CONNECTED(00000005)
depth=3 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=2 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
verify return:1
depth=1 C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
verify return:1
depth=0 C = DE, ST = Nordrhein-Westfalen, L = Hamm, O = Hochschule Hamm-Lippstadt, OU = Forschungsprojekt StudyBuddy, CN = studybuddy.hshl.de
verify return:1
---
Certificate chain
 0 s:C = DE, ST = Nordrhein-Westfalen, L = Hamm, O = Hochschule Hamm-Lippstadt, OU = Forschungsprojekt StudyBuddy, CN = studybuddy.hshl.de
   i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
   i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
   i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIDDCCBvSgAwIBAgIMJO/QFt5aJu+OswQsMA0GCSqGSIb3DQEBCwUAMIGNMQsw
CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVz
IERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4t
UEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nI...

But as soon as I am outside the network, no SSL connection can be established any longer. Using the exact same openssl-command with the exact same service now produces this output:

CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I can observe that a TCP-connection is made to the server in both cases. But why does SSL not work in the second scenario? Does anybody have an idea what tools I could use to find the error?

Best regards…

Source: Docker Questions

LEAVE A COMMENT