Ocelot certificate problem. The SSL connection could not be established, see inner exception

  .net-core, docker, ocelot, ssl, ssl-certificate

I am running in Local using Docker an Ocelot API gateway (https://localhost:5010) service that calls a Dot net core API (https://localhost:5003).

I used self signed certificates and both services are secure:

API certificate

Ocelot certificate

To make it work locally I add in Ocelot.Development.json:

      "DownstreamPathTemplate": "/ActivityTypes",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "xplora.api",
          "Port": "443"
        }
      ],
      "UpstreamPathTemplate": "/ActivityTypes",
      "UpstreamHttpMethod": [ "GET" ],
      "RateLimitOptions": {
        "ClientWhitelist": [],
        "EnableRateLimiting": true,
        "Period": "3s",
        "PeriodTimespan": 1,
        "Limit": 1
      },
      "FileCacheOptions": { "TtlSeconds": 30 }
    }

Where xplora.api is the name of the container defined in docker-compose.

    container_name: xplora.api
    environment:

When I access the Ocelot api gateway I get this error:

xploraproject-xploraapigateway-1  |       requestId: 0HMDG3PCRH54C:00000001, previousRequestId: no previous request id, message: Error Code: ConnectionToDownstreamServiceError Message: Error connecting to downstream service, exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
xploraproject-xploraapigateway-1  |        ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
xploraproject-xploraapigateway-1  |          at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
xploraproject-xploraapigateway-1  |          at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
xploraproject-xploraapigateway-1  |          at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
xploraproject-xploraapigateway-1  |          --- End of inner exception stack trace ---
xploraproject-xploraapigateway-1  |          at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

I suspect the problem is that when I try to access this services using localhost it works fine because the certificate is assigned to localhost domain but when Ocelot tries to use https://xplora.api:5003 this certificate is not working. Am I right? If so.. how can I make it work? I used "DangerousAcceptAnyServerCertificateValidator": true in Ocelot.Development.json and it works but I want a real solution, without using DangerousAcceptAnyServerCertificateValidator.

Thanks

Source: Docker Questions

LEAVE A COMMENT