Wiki: Add HTTPS usage inside Docker

[winseros]

Greetings.

Some history. We use WireMock to run our unit tests inside Docker. The other day we had to mock a service whose official client library was nailed to work through HTTPS only. Trying to make an HTTPS mock through WireMock, we were surprised it worked nice on Windows, but inside Docker we were receiving SSL validation errors at connection time.

The reasons behind the behavior - are #379, where the support of default aspnetcore development certificates was added,
and dotnet/aspnetcore#7246, that prevents default dev certificates from being trusted on Linux / Docker.

There is a way to make WireMock run trusted HTTPS inside Docker I'd like to share.

1. Make the localhost.conf file of content:

   [ req ]
   default_bits       = 2048
   default_keyfile    = localhost.key
   distinguished_name = req_distinguished_name
   req_extensions     = req_ext
   x509_extensions    = v3_ca
    
   [ req_distinguished_name ]
   commonName         = Common Name (e.g. server FQDN or YOUR name)
    
   [ req_ext ]
   subjectAltName = @alt_names
    
   [ v3_ca ]
   subjectAltName = @alt_names
   basicConstraints = critical, CA:false
   keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
   extendedKeyUsage = 1.3.6.1.5.5.7.3.1
   1.3.6.1.4.1.311.84.1.1 = DER:01
    
   [ alt_names ]
   DNS.1   = localhost
   DNS.2   = 127.0.0.1
   

   Note the 1.3.6.1.4.1.311.84.1.1 = DER:01 it is critical for aspnet for recognizing the cert.

2. Generate the cert:

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj /CN=localhost
   openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt -passout pass:
   

3. Grab the localhost.pfx and localhost.crt and throw them into the target system. In case of Docker that would look:

   COPY localhost.crt /usr/local/share/ca-certificates/
   RUN dotnet dev-certs https --clean \
       && update-ca-certificates
   COPY localhost.pfx /root/.dotnet/corefx/cryptography/x509stores/my/

4. Profit. The system has the aspnetcore dev cert trusted.

Ideally I'd like those 4 steps to be added into the project Wiki so others won't have to spend all the time I did to find a solution.

Best regards.

[StefH]

Hello @winseros,

I can surely add this to the docker wiki: https://github.com/WireMock-Net/WireMock.Net-docker/wiki

However wouldn't it be a better idea to apply this fix to the Linux docker image, so that by default the https works?

(And can you describe the error when this is not applied?)

[winseros]

Hello. I'm not sure if the issue is a case of WireMock.Net-docker. Probably I had to call the issue "Linux" instead of "Docker".

I made a demo project to show the details:
https://github.com/winseros/wiremock.net-https-demo-project

In short, there is a 3rd party HTTPClient library, hardcoded to work only through https (so you can't use HTTP for tests). In order to make WireMock HTTPS tests work, on Windows it is enough to run dotnet dev-certs https --trust, but on Linux or in Docker you have to run the commands from https://github.com/WireMock-Net/WireMock.Net-docker/issues/26#issue-718565995

[StefH]

OK. I see.

I did add your information to this page:
https://github.com/WireMock-Net/WireMock.Net/wiki/Using-HTTPS-(SSL)

Can you verify it's correct?

[winseros]

That's correct. Thank you!

[StefH]

Hello @winseros ; thank you very much for researching the issue + solution.