I'm using Alpine Linux via Docker. I want to make an HTTPS connection to host.docker.internal. There is a service on the host machine that can be reached via localhost:8443
on the host machine. I want to connect to this same service from the container. --network host
will not work because within the container, localhost
needs to refer to the container, not to the host machine.
The service running on the host machine on port 8443 is actually coming from an SSH tunnel to an EC2 container, to ultimately allow connection to an Opensearch server in our AWS network that is listening on port 443.
This is what I have done in order to achieve this:
- Create a self-signed cert for
host.docker.internal
that specifies a subject alternative name:openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 30650 \ -nodes \ -out docker-host.crt \ -keyout docker-host.key \ -subj "/C=US/ST=Nevada/L=Las Vegas/O=Company/OU=Engineering/CN=host.docker.internal" \ -addext "subjectAltName=DNS:host.docker.internal"
- Copy this to
/usr/local/share/ca-certificates
:cp docker-host.crt /usr/local/share/ca-certificates
- Run
update-ca-certificates
- Confirm the cert is recognized:
openssl verify -CApath /etc/ssl/certs docker-host.crt
- Try to use curl to connect:
curl https://host.docker.internal:8443/
I always get the error curl: (60) SSL: no alternative certificate subject name matches target host name 'host.docker.internal'
I tried creating a "bundle" certificate:
cat docker-host.pem cert.pem > bundle.pem
cp bundle.pem /usr/local/share/ca-certificates/docker-host.crt
cert.pem
was created with openssl s_client -showcerts -servername host.docker.internal -connect host.docker.internal:8443 > cert.pem
I got this command from cURL's page on this issue.
docker-host.pem
is created with cat docker-host.key docker-host.crt > docker-host.pem
. I tried copying this .pem (renamed to .crt of course) to /usr/local/share/ca-certificates/
but it makes no difference.
No matter what, I always get the same error. Surely I am misunderstanding something.
Please advise. Thank you.