Timeout when calling ASP.NET Core app on Kestrel in Docker on Ubuntu Linux with SSL

I am having trouble getting a simple ASP.NET Core Hello World app working in Docker on Ubuntu 20.04 using SSL. Here are the setup details:

• Development environment is Visual Studio 2022 on Windows 10.
• Framework is ASP.NET Core running on .NET 6.
• I am using the vanilla hello world app that gets created when creating a new ASP.NET
  Core project in VS. I have changed nothing except add a Dockerfile to the application.
• Target run environment is a Kestrel server running inside of a Linux Docker container which itself is running on Ubuntu 20.04.
• I am trying to access the application using Firefox on the Ubuntu machine.

(The reasoning behind this funky setup is that we have a customer who wants to host our app inside a Docker container on their Ubuntu box. However our legacy codebase and team's skillset predicates that we develop in .NET on Windows. Hence I am just trying to get a POC working to investigate how to run an ASP.NET Core app in Docker on Ubuntu.)

The Dockerfile that I am using is just the unmodified version that Visual Studio created for me when I tell it to add Docker support:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["AspNetSsl/AspNetSsl.csproj", "AspNetSsl/"]
RUN dotnet restore "AspNetSsl/AspNetSsl.csproj"
COPY . .
WORKDIR "/src/AspNetSsl"
RUN dotnet build "AspNetSsl.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "AspNetSsl.csproj" -c Release -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "AspNetSsl.dll"]

Here is the launchsettings.json for the project:

{
  "profiles": {
    "AspNetSsl": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "dotnetRunMessages": true,
      "applicationUrl": "https://localhost:7033;http://localhost:5041"
    },
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Docker": {
      "commandName": "Docker",
      "launchBrowser": true,
      "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}",
      "publishAllPorts": true,
      "useSSL": true
    }
  },
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:34953",
      "sslPort": 44378
    }
  }
}

And the appsettings.json:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

And the Program.cs (again, this is just the default, unmodified template):

namespace AspNetSsl
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);

            // Add services to the container.
            builder.Services.AddRazorPages();

            var app = builder.Build();

            // Configure the HTTP request pipeline.
            if (!app.Environment.IsDevelopment())
            {
                app.UseExceptionHandler("/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthorization();

            app.MapRazorPages();

            app.Run();
        }
    }
}

This is the process I go through to build and deploy and run the Docker image/container:

On my Windows development machine:

1. Open Powershell, navigate to the solution folder (where the Dockerfile lives) and run this command:

docker build -t aspnetssl .

2. Still in Powershell, export the image from docker to a tar file using this command:

docker save -o aspnetssl.tar aspnetssl

3. Copy the .tar file to the folder shared with my Ubuntu VM (called VMShared).

On my Ubuntu 20.04 Virtual Machine

First I need to create a self-signed certificate so that the app can use SSL. I referenced this blog post for these steps:

4. Create an https.config file in my home directory with the following content:

[ req ]
default_bits       = 2048
default_md         = sha256
default_keyfile    = key.pem
prompt             = no
encrypt_key        = no

distinguished_name = req_distinguished_name
req_extensions     = v3_req
x509_extensions    = v3_req

[ req_distinguished_name ]
commonName             = "localhost"

[ v3_req ]
subjectAltName      = DNS:localhost
basicConstraints    = critical, CA:false
keyUsage            = critical, keyEncipherment
extendedKeyUsage    = critical, 1.3.6.1.5.5.7.3.1

5. Run the following command to generate a private key and certificate signing request:

openssl req -config https.config -new -out csr.pem

6. Run the following command to create a self-signed certificate:

openssl x509 -req -days 365 -extfile https.config -extensions v3_req -in csr.pem -signkey key.pem -out https.crt

7. Run the following command to generate a pfx file that can be used with Kestrel:

openssl pkcs12 -export -out https.pfx -inkey key.pem -in https.crt -password pass:password

8. Copy the https.pfx to my shared folder at /mnt/hgfs/VMShared/https to make it accessible to the Kestrel server (it could go anywhere as long as it can be passed to Docker via a volume mount)

Now I need to trust the certificate:

9. Copy https.crt to /usr/local/share/ca-certificates/ and run the sudo update-ca-certificates command, which gives an output that indicates 1 certificate was added.

10. Add the cert to Firefox's trusted certificate store:

• Find the Firefox default profile

• Add the cert to Firefox's cert store for that profile:

sudo certutil -A -n "https" -t "TC,," -i ~/https.crt -d sql:/home/u/.mozilla/firefox/ayi0vczl.default-release

• Verify that it was put into that store:

sudo certutil -d sql:/home/u/.mozilla/firefox/ayi0vczl.default-release -L

which shows this output:

Finally I'm ready to run the docker image:

11. Load the docker image into docker:

sudo docker load -i /mnt/hgfs/VMShared/aspnetssl.tar

12. Run the docker image by running the following command (packaged inside of a script file):

docker run --rm \
-p 5000:80 \
-p 5001:443 \
-v /mnt/hgfs/VMShared/https:/https/ \
-e ASPNETCORE_Kestrel__Certificates__Default__Password="password" \
-e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/https.pfx \
-e ASPNETCORE_URLS="https://+:443;http://+:80" \
-e ASPNETCORE_ENVIRONMENT=Docker \
aspnetssl:latest

When the container lauches, I see this in the terminal window:

warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
      Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
      No XML encryptor configured. Key {3ad53391-8a83-486b-9c15-f783ffe52d87} may be persisted to storage in unencrypted form.
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://[::]:80
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Docker
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app/

No explicit errors, and the warnings look okay to me, so it seems to be running fine. However when I try to navigate to it in Firefox, either to http://localhost:5000 or https://localhost:5001, it just hangs and I eventually get a timeout error.

My current working theory is that something is wrong with my SSL setup, like Firefox is not able to access the certificate or something. It's difficult to diagnose because I'm not very experienced with SSL and web technologies and I'm not sure what errors or logs I should be looking at. However there are a few possible failure points that I can think of:

• The self-signed certificate was not generated properly.
• The cert was not trusted on the Ubuntu VM properly.
  • I also tried adding the https.crt file to the /etc/ssl/certs and /etc/ca-certificates folders, but that didn't seem to work.
• Firefox does not have access to the cert or cannot trust it for some reason.
• The Kestrel server is not correctly giving the cert to Firefox.

I'm not sure if any of these make sense, but my gut feeling is that the breakage has something to do with SSL since I was able to get a version of this Hello World app to work over just http by removing some lines from Program.cs as well as setting "useSSL":false in my launchsettings.json file.

Does anyone have any insight on why Firefox is timing out when trying to ping the ASP.NET app? I appreciate any help that is given.

So figured out that my problem is not with anything in the setup described but with suspending/pausing the virtual machine and then resuming. (I'm using VMWare Workstation 17 Pro, version 17.0.0. Also I'm using a bridged network connection with "Replicate physical network connection state" checked.)

When I start up a VM from powered off, then the above setup works and I am able to access my Hello World application. If I suspend the VM and then resume it, I start having the timeout issue described. If I restart the VM, then the issue goes away. I would like to know why this is happening, but that is an entirely different question.