I am trying to make my .net core api on live on AWS fargate. I have created an application load balancer on AWS and added to listeners for 80 and 443 ports.
I exposed 8080 port to 80 and 8081 port to 443 in my container.
Here is my task definition file
{
"ipcMode": null,
"executionRoleArn": "my-esc-roles",
"containerDefinitions":
[
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration":
{
"logDriver": "awslogs",
"secretOptions": null,
"options":
{
"awslogs-group": "/ecs/my-tasks",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint":
[],
"portMappings":
[
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
},
{
"hostPort": 8081,
"protocol": "tcp",
"containerPort": 8081
}
],
"command":
[],
"linuxParameters": null,
"cpu": 0,
"environment":
[],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints":
[],
"workingDirectory": null,
"secrets":
[
{
"valueFrom": "LiveDb",
"name": "LiveDb"
},
{
"valueFrom": "SSLPath",
"name": "ASPNETCORE_Kestrel__Certificates__Default__Path"
},
{
"valueFrom": "SSLPassword",
"name": "ASPNETCORE_Kestrel__Certificates__Default__Password"
}
],
"dockerSecurityOptions": null,
"memory": 500,
"memoryReservation": 400,
"volumesFrom":
[],
"stopTimeout": null,
"image": "my-ecr-repo/image:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "my-container"
}
],
"placementConstraints":
[],
"memory": "2048",
"taskRoleArn": "**********************",
"compatibilities":
[
"EC2",
"FARGATE"
],
"taskDefinitionArn": "*******************",
"family": "supplierportal-tasks",
"requiresAttributes":
[
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.secrets.ssm.environment-variables"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities":
[
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform":
{
"operatingSystemFamily": "LINUX",
"cpuArchitecture": null
},
"cpu": "1024",
"revision": 10,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes":
[]
}
And here is my dockerfile
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 8080
EXPOSE 8081
ENV ASPNETCORE_URLS=http:// :8080;https:// :8081
# Creates a non-root user with an explicit UID and adds permission to access the /app folder
# For more info, please refer to https://aka.ms/vscode-docker-dotnet-configure-containers
RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app
USER appuser
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["WebAPI/WebAPI.csproj", "WebAPI/"]
RUN dotnet restore "WebAPI/WebAPI.csproj"
COPY . .
WORKDIR "/src/WebAPI"
RUN dotnet build "WebAPI.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebAPI.csproj" -c Release -o /app/publish /p:UseAppHost=false
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebAPI.dll"]
When it comes to port 80 everything works perfectly. but on port 443 I could not be able to set up SSL.
Here is the error log I receive.
Unhandled exception. Interop Crypto OpenSslCryptographicException: error:2006D080:BIO routines:BIO_new_file:no such file
I have stored my pfx file in s3 but it did not work. Where should I put my pfx file to deploy it in a container?
I have used the below paths for SSL on S3.
s3://mycert/WebAPI.pfx => did not work
https://my-cert.s3.amazonaws.com/ebAPI.pfx => did not work
arn:aws:s3:::my-cert/WebAPI.pfx => did not work
CodePudding user response:
I have stored my pfx file in s3 but it did not work. Where should I put my pfx file to deploy it in a container?
You would need to add a step to the startup of your docker container to copy the file from S3 into the container, using either the AWS CLI tool, or the AWS SDK.
You really only need the SSL certificate that is installed on the load balancer, unless you have some sort of regulatory requirement for end-to-end encryption. The Application Load Balancer is doing SSL termination, so the network connection between the user's web browser and your AWS private network is encrypted. The SSL listener on the load balancer's port 443 can forward traffic to your unencrypted port 8080.