[.NET 8] ASP.NET Core Web API Server is Not Accessible in Docker

[cropyai]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Hi,

I created a clean, default ASP.NET Core Web API project. The project name is "WebApplication4". I didn't change a thing in the project. So, everything is intact. I ran this project in release mode & docker. No problem until this point. I closed the docker container and tried to rerun the docker image using command line. My command was docker run -it -p 8080:8080 webapplication4:latest . I tried to access https://localhost:8080/swagger and https://localhost:8080/swagger/index.html. However, none of them is opening and I got an error like this ERR_SSL_PROTOCOL_ERROR.

To fix this, I cleaned all SSL protocols defined before and redefined it by trusting. It did not help. No change in the behaviour.

-> dotnet dev-certs https --clean
-> dotnet dev-certs https

This behavior did not happen before until I updated my visual studio for .net 8.

The docker file is:

#See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
USER app
WORKDIR /app
EXPOSE 8080
EXPOSE 8081

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["WebApplication4/WebApplication4.csproj", "WebApplication4/"]
RUN dotnet restore "./WebApplication4/./WebApplication4.csproj"
COPY . .
WORKDIR "/src/WebApplication4"
RUN dotnet build "./WebApplication4.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./WebApplication4.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebApplication4.dll"]

The launchSettings.json file is:

{
  "profiles": {
    "http": {
      "commandName": "Project",
      "launchBrowser": true,
      "launchUrl": "swagger",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "dotnetRunMessages": true,
      "applicationUrl": "http://localhost:5117"
    },
    "https": {
      "commandName": "Project",
      "launchBrowser": true,
      "launchUrl": "swagger",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "dotnetRunMessages": true,
      "applicationUrl": "https://localhost:7099;http://localhost:5117"
    },
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "launchUrl": "swagger",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Docker": {
      "commandName": "Docker",
      "launchBrowser": true,
      "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}/swagger",
      "environmentVariables": {
        "ASPNETCORE_HTTPS_PORTS": "8081",
        "ASPNETCORE_HTTP_PORTS": "8080"
      },
      "publishAllPorts": true,
      "useSSL": true
    }
  },
  "$schema": "http://json.schemastore.org/launchsettings.json",
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:15057",
      "sslPort": 44358
    }
  }
}

Expected Behavior

https://localhost:8080/swagger url should have been accessed successfully after running the docker from command line.

Steps To Reproduce

-> Open Visual Studio 17.8.0.
-> Create a ASP.NET Core Web API with default settings.
-> Run once in release mode in docker.
-> Close the container.
-> Rerun the docker image via command line terminal using docker run -it -p 8080:8080 webapplication4:latest.
-> The server is not accessible via https://localhost:8080/swagger.

Exceptions (if any)

No response

.NET Version

8.0.100

Anything else?

Visual Studio 17.8.0
.NET 8.0.100

[amcasey]

Seems possibly related to https://learn.microsoft.com/en-us/dotnet/core/compatibility/containers/8.0/aspnet-port

[cropyai]

@amcasey Hi, it is not related to the port change, but a bug might be introduced while developing this change.

I started the docker with the correct parameters, however, it resulted in giving protocol error message. Again, to do a sanity check, I tried the commands on the webpage that you referred to. The result is the same!

[amcasey]

Visual Studio does some extra work to pass in cert information when it runs your docker container. Let me see if I can find a sample command line.

[amcasey]

If you look in the Container Tools output window in VS, you'll see a docker run command like

docker run -dt -v "C:\Users\username\vsdbg\vs2017u5:/remote_debugger:rw" -v "C:\Users\username\AppData\Roaming\Microsoft\UserSecrets:/root/.microsoft/usersecrets:ro" -v "C:\Users\username\AppData\Roaming\Microsoft\UserSecrets:/home/app/.microsoft/usersecrets:ro" -v "C:\Users\username\AppData\Roaming\ASP.NET\Https:/root/.aspnet/https:ro" -v "C:\Users\username\AppData\Roaming\ASP.NET\Https:/home/app/.aspnet/https:ro" -v "C:\Program Files\Microsoft Visual Studio\2022\IntPreview\MSBuild\Sdks\Microsoft.Docker.Sdk\tools\TokenService.Proxy\linux-x64\net6.0:/TokenService.Proxy:ro" -v "C:\Program Files\Microsoft Visual Studio\2022\IntPreview\MSBuild\Sdks\Microsoft.Docker.Sdk\tools\HotReloadProxy\linux-x64\net6.0:/HotReloadProxy:ro" -v "C:\Program Files\Microsoft Visual Studio\2022\IntPreview\Common7\IDE\CommonExtensions\Microsoft\HotReload:/HotReloadAgent:ro" -v "C:\Users\username\source\repos\WebApplication13\WebApplication13:/app" -v "C:\Users\username\source\repos\WebApplication13:/src/" -v "C:\.tools\.nuget\packages\:/.nuget/fallbackpackages" -v "C:\Program Files (x86)\Microsoft Visual Studio\Shared\NuGetPackages:/.nuget/fallbackpackages2" -e "ASPNETCORE_LOGGING__CONSOLE__DISABLECOLORS=true" -e "ASPNETCORE_ENVIRONMENT=Development" -e "DOTNET_USE_POLLING_FILE_WATCHER=1" -e "NUGET_PACKAGES=/.nuget/fallbackpackages" -e "NUGET_FALLBACK_PACKAGES=/.nuget/fallbackpackages;/.nuget/fallbackpackages2" -P --name WebApplication13 --entrypoint tail webapplication13:dev -f /dev/null 

Notably, it's mounting a number of volumes containing secrets so that the server in the container will use a certificate that windows already trusts.

[amcasey]

I'd say your best options are to either always launch with VS or load your cert from a file (rather than the cert store) and include that file in your docker image.

[amcasey]

I guess I'm a little skeptical this could have worked with 7.0 because it also needs to mount a folder containing the dev cert(s).

[amcasey]

If you change your sample project to target 7.0, does it behave differently?

Edit: Hmm, I guess you have to make a new project because a different dockerfile was generated in 7.0.

[cropyai]

@amcasey thank you very much for the effort to figure this out. This issue not only happens in Windows but also in Ubuntu. It was not happening in .NET 7 (when both project was .net7 as well as the docker image). However, I am not sure about how to mount volumes for secrets in ubuntu. Probably, I would manually move the necessary files from Windows to Ubuntu right? Also, do you have any idea if this can cause any outdoor in the server? I happen to think that it can be solved easily by .NET team. It is really sad to see the errors with .NET 8.

[cropyai]

If you change your sample project to target 7.0, does it behave differently?

Edit: Hmm, I guess you have to make a new project because a different dockerfile was generated in 7.0.

Exactly, the docker image is different. I guess that might be the main reason behind this.

[amcasey]

I don't see interesting differences. Just a different user and a different port.

[cropyai]

Yes, but what I wanted to say the base docker image from Microsoft might be the issue "FROM mcr.microsoft.com/dotnet/aspnet:8.0".

.NET 7 uses "FROM mcr.microsoft.com/dotnet/aspnet:7.0 AS base" command in the dockerfile.

[amcasey]

Sorry, I'm not sure what difference you're pointing out. They definitely use different base images - that's expected.

[amcasey]

This issue not only happens in Windows but also in Ubuntu

I'd like to help with this, but I'm not sure what you're asking. Do you mean that the container image is Ubuntu or that you have another container host that is Ubuntu?

[cropyai]

So, if we don't need to bind volumes when using aspnet:7.0 base image, it might indicate that there are already necessary files for the certificates in that image. However, for aspnet:8.0 it might lack those files? (I am not an expert, just thinking)

For the second question:

I develop and test the docker images on Windows. Then, I deploy the docker image to the ubuntu server where I run the docker image.

[cropyai]

@amcasey I saw that you are from Microsoft. I want to sincerely share my thoughts on the situation of .NET. Lately, I see many comments that Microsoft lacks speed in fixing the errors in .NET, especially in .NET MAUI which in every release goes two steps forward and one step back. As for our company ( cropy.ai ), we have used C# .NET for a very long time in our backend. We love all the features and the stability on asp.net side. However, for .NET MAUI, it seems like developers can't use the technology because of the bugs. We have an app for Android as well. However, we think that we cannot go with .NET for IOS, Android anymore, but we want to. So, if you can channel the feedback to the appropriate channels, I would be really glad. Other than that, there is nothing much to say. We all see the improvements on the performance side. Thank you again! I hope I didn't sound very bad . If you are not the correct person to write this, I am sorry to bother.

[amcasey]

So, if we don't need to bind volumes when using aspnet:7.0 base image, it might indicate that there are already necessary files for the certificates in that image. However, for aspnet:8.0 it might lack those files? (I am not an expert, just thinking)

No, those files are specific to your installation and wouldn't be included in a published image. They're generated when you run dotnet dev-certs.

I develop and test the docker images on Windows. Then, I deploy the docker image to the ubuntu server where I run the docker image.

In that case, you're going to need to manage your certificates manually - the development certificates won't be available on other machines, particularly on linux.

[cropyai]

Do you think this issue happening in .NET 8 is still a bug? It was not happening in .NET 7. For now, I am not thinking of updating to .NET 8 from .NET 7.

[amcasey]

However, for .NET MAUI, it seems like developers can't use the technology because of the bugs

I don't work on MAUI myself, but I'll see if I can put you in touch with someone. Thanks for the feedback!

Edit: the right people have been notified but there may be a delay because of multiple conferences this week and a major US holiday next week.

[amcasey]

Do you think this issue happening in .NET 8 is still a bug? It was not happening in .NET 7. For now, I am not thinking of updating to .NET 8 from .NET 7.

I'm going to need more details about your setup to understand how things could have worked in 7.0. From an aspnetcore perspective, https isn't going to work unless those certs are available to the server running in the container. I'm not aware of a change to the way the container tools plumb them through, but I may have missed something.

Let me see whether there's a log statement that lists where a cert was pulled from.

Edit: No, it only logs on failure.

[amcasey]

How are you setting your certificate(s) now? The two most common ways are in appsettings.json and in code by calling UseHttps.

[amcasey]

Since you're working with toy applications (e.g. WebApplication4), are you able to share a 7.0 example that does work and an 8.0 example that doesn't? Creating a repo and linking to that might be easiest.

[cropyai]

How are you setting your certificate(s) now? The two most common ways are in appsettings.json and in code by calling UseHttps.

I don't use any certificate for the asp.net server since I provide the SSL certificate from AWS for the backend domain. AWS takes all requests and redirects them to the backend server machine.

[cropyai]

Since you're working with toy applications (e.g. WebApplication4), are you able to share a 7.0 example that does work and an 8.0 example that doesn't? Creating a repo and linking to that might be easiest.

Now, I tried it and it doesn't work with .NET 7 aspnet image as well. I think the recent docker image update might be the reason.

https://hub.docker.com/_/microsoft-dotnet-aspnet?tab=description

I will try with older docker images for .NET 7 asap.

EDIT: I am looking for ways to access the older version of the docker image from Microsoft. However, I am not sure if it can be found. I'll keep looking.

[amcasey]

You may also want to try with an older version of VS if you recently updated. I can't recall whether the docker tools version with .net or with VS, but I would have guessed VS.

[amcasey]

I don't use any certificate for the asp.net server since I provide the SSL certificate from AWS for the backend domain. AWS takes all requests and redirects them to the backend server machine.

Wait, I didn't read this carefully enough. The issue is actually that the server shouldn't be using HTTPS at all for this connection? That would certainly explain why there's no cert. In that case, though, shouldn't you be navigating to http://localhost:8080/swagger, rather than https://localhost:8080/swagger?

Edit: I had to (a) comment out app.UseHttpsRedirection() and (b) navigate to http://localhost:8080/weatherforecast (the template only enable swagger in development), but it does work in 8.0 without any VS magic - just building and running the docker image.
Edit 2: I figured this out by setting "Microsoft.AspNetCore": "Trace" in appsettings.json.

[cropyai]

Yeah, actually it works. I thought I tried that before by closing https redirection. I guess I didn't. Accessing the HTTP URL worked well. Let me check the actual server side quickly.

[davidortinau]

@cropyai I can answer your questions about .NET MAUI and get you assistance with the issues impacting your development. So we don't jam of this issue with the conversation, send me an email and we can connect once the conferences are done next week. david.ortinau@microsoft.com

[cropyai]

@davidortinau Hi David, thank you very much for contacting us. Until this time, we encountered many issues for which we managed to find workarounds later on. After upgrading to .NET 8, we got two new issues. We would be glad of the support provided. I will send you an email with the confirmed company mail that ends with @cropy.ai . Have a nice day / evening!

[cropyai]

@amcasey I was able to successfully run my backend server in a docker container on my local computer without any problem. For the ubuntu machine that we have, I tried to run the same image on that machine. However, it didn't work at the beginning. I tried with a different machine and "somehow" it worked on the new machine even though both machines had the same security groups and settings. Now, we changed the machine to the new one on which the docker image worked well. Now, it seems there is no issue on my side. I don't know why it didn't work in the previous machine, but anyways. Thanks for the effort and helping me!

I guess this was a change from .NET 7 to .NET 8 or new docker images of aspnet, either way, we weren't aware of the new behavior. Thank you again!

[cropyai]

@davidortinau Our emails sometimes go to the spam folder. I have sent you an email from info@cropy.ai . Thank you for the support offer!