Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add host.docker.internal and host.containers.internal to the dev cert SAN #61155

Open
benjaminpetit opened this issue Mar 25, 2025 · 1 comment
Open

Add host.docker.internal and host.containers.internal to the dev cert SAN #61155

benjaminpetit opened this issue Mar 25, 2025 · 1 comment
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions design-proposal This issue represents a design proposal for a different issue, linked in the description

Comments

@benjaminpetit
Copy link
Member

Summary

Currently the dev certificate is only valid for localhost. When running in a container, an app tryting to access the host will try to do it via host.docker.internal or host.containers.internal.

Motivation and goals

Since the dev cert isn't valid for host.docker.internal or host.containers.internal, TLS validation will fail, even if the certificate is trusted.

In scope

  1. Add host.docker.internal and host.containers.internal as SAN in the dev certificate generated by the dev-certs tool
  2. Add an option to produce an easy to parse output, for external tools (a json output is probably the best)

Out of scope

When container are linked or are aprt of the same network, they can be joined via their name, like https://myservice. We will not support such scenarios.

Risks / unknowns

We need to raise the version number of the certificate (currently version 2) so that newer version of the tool can create the cert with these additional SAN. However, Kestrel should still
consider version 2 certificate as valid, to avoid any issue when the user update the runtime before updating the SDK.

Examples

Example of "parsable output":

dotnet dev-certs https -c --parsable
[
  {
    "Thumbprint": "7FFF3291425E30CFCA0671AE5EB891BB62DD13A9",
    "Subject": "CN=localhost",
    "X509SubjectAlternativeNameExtension": [
      "localhost",
      "host.docker.internal",
      "host.containers.internal"
    ],
    "Version": 3,
    "ValidityNotBefore": "2025-03-19T20:53:48+01:00",
    "ValidityNotAfter": "2026-03-19T20:53:48+01:00",
    "IsHttpsDevelopmentCertificate": "true",
    "IsExportable": "true"
  }
]
@benjaminpetit benjaminpetit added the design-proposal This issue represents a design proposal for a different issue, linked in the description label Mar 25, 2025
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Mar 25, 2025
@blowdart
Copy link
Contributor

Isn't this essentially your own #60369 issue? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions design-proposal This issue represents a design proposal for a different issue, linked in the description
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blowdart @benjaminpetit