'Unable to update Openssl.cnf file using Dockerfile command

I am working on an application which is built on .NET 5 and we generate docker images. Lately I am having an issue with one of the custom docker images which I'm using as a base. I am getting SSL certificate error with few external endpoints in my application.

After doing some research on this issue, I found out that the openssl.cnf file should be updated with certain cipher strings and the TLS protocol needs to be set to 1.2.

I am able to achieve the results when I manually try to copy a new openssl.cnf file using command prompt commands

docker cp openssl.cnf Alkaline_Pretty:etc/ssl/openssl.cnf

But when I try copy the new openssl.cnf file from the Dockerfile in my application, it doesn't update the file in the container location

My docker file looks something like this:

#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM custom/docker/Imagefor/datadog:5.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /src
COPY ["Nuget.Config", "."]
COPY ["Directory.Build.props", "."]
COPY ["WebApplication/WebApplication.csproj", "WebApplication/"]
RUN dotnet restore "WebApplication/WebApplication.csproj"
COPY . .
WORKDIR "/src/WebApplication"
RUN dotnet build "WebApplication.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "WebApplication.csproj" -c Release -o /app/publish


FROM base AS final
# Install ca-certificates
COPY WebApplication/SomeCertificate.crt /usr/local/share/ca-certificates/SomeCertificate.crt
COPY WebApplication/openssl.cnf /etc/ssl/openssl.cnf
RUN update-ca-certificates

#Datadog service name
ENV DD_SERVICE_NAME=myapplication
ENV ASPNETCORE_URLS=http://+:8080
ENV DD_LOGS_INJECTION=true
ENV DD_TRACE_AGENT_PORT=8126

WORKDIR /app
COPY --from=publish /app/publish .

ENTRYPOINT ["dotnet", "WebApplication.dll"] ```


My file structure is something like this:

src 
   WebAppplication
    WebApplication.csproj
     openssl.cnf
dockerfile.net-5


Solution 1:[1]

Some of possible reasons for failure

  1. WebApplication/openssl.cnf might be different from openssl.cnf used in example

  2. Your application might destroy openssl.cnf on the container start - be sure, there is nothing toxic in source code, which might cause it

  3. update-ca-certificates might have some side effects, which might with the new openssl.cnf break your app.

Recommendation for debug

Try to diff the original openssl.cnf with the openssl.cnf in the container. It will help you to find the origin of the error.

If the openssl.cnf is intact, I would recommend to check, whether the new certificate bundle is the same as is in older images.

If the openssl.cnf is changed, try to find the source of the change. Changing the order of Dockerfile execution might help you with it.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

E: Package 'mysql-client' has no installation candidate in php-fpm image build using docker compose

docker build failed after pip installed requirements with exit code 137

Backend docker image does not wait until db becomes available

npm ERR! Tracker "idealTree" already exists while creating the Docker image for Node project

How to access gradle test reports from a docker container

nestjs Docker build error: can not find tsconfig.build.json

Add a vxlan interface to a docker container

Understanding "VOLUME" instruction in DockerFile

Can I run an intermediate layer of a Docker image?

Using ARG and ENV in Dockerfile

Add shell or bash to a docker image (Distroless based on Debian GNU/Linux)

Can't login to ODK Central Admin panel

microdnf update command installs new packages instead of just updating existing packages

Docker Compose + Spring Boot + Postgres connection

How to prevent docker container from stopping after executing sh script file