azure-cosmos-db-emulator-docker icon indicating copy to clipboard operation
azure-cosmos-db-emulator-docker copied to clipboard

Published 20 hours ago verified publisher icon Azure

_explorer/emulator.pem can't provide a secure connection

Open pmottmwi opened this issue 1 year ago • 8 comments

Describe the bug Using the cosmosEmulatorVnextPreview linux container image, calling _explorer/emulator.pem returns an error.

To Reproduce

  1. Start Cosmos emulator docker container.
  2. Navigate to https://localhost:8081/_explorer/emulator.pem.
  3. See error: "This site can't provide a secure connection. localhost sent an invalid response. ERR_SLL_PROTOCOL_ERROR.".

Expected behavior Response should contain the certificate to use for SSL connections to the Cosmos instance.

Desktop (please complete the following information):

  • OS: Mac OS 14.6.1
  • Browser: Chrome
  • Version: 131.0.6778.70

Docker Images Used:

  • Linux (cosmosEmulatorVnextPreview)

Docker Environment

  • Docker Desktop 4.35.1
  • Docker compose:
name: Cosmos Emulator
services:
    azure-cosmos-emulator:
        ports:
            - 8081:8081
            - 1234:1234
        image: mcr.microsoft.com/cosmosdb/linux/azure-cosmos-emulator:vnext-preview
        command: --protocol https

pmottmwi avatar Nov 20 '24 16:11 pmottmwi

If I disable https and rerun the container I get this error back from the URL:

{"code":"InternalServerError","message":"System.NullReferenceException: Object reference not set to an instance of an object.\n   at Microsoft.Azure.Cosmos.Postgres.Core.Interop.SqlMessageFormatter.IsRootPath(SqlRequest request) in /tmp/gateway/Cosmos.Postgres.Core/Interop/SqlMessageFormatter.cs:line 767\n   at Microsoft.Azure.Cosmos.Postgres.Core.Interop.SqlMessageFormatter.FormatRequest(KestrelHttpRequestContext transportRequestContext) in /tmp/gateway/Cosmos.Postgres.Core/Interop/SqlMessageFormatter.cs:line 117\n   at Microsoft.Azure.Cosmos.Postgres.Core.Interop.SqlRequestPipeline.ProcessRequestAsync(KestrelHttpRequestContext transportRequest) in /tmp/gateway/Cosmos.Postgres.Core/Interop/SqlRequestPipeline.cs:line 46"}

pmottmwi avatar Nov 20 '24 16:11 pmottmwi

To get the certificates please refer to my comment in https://github.com/Azure/azure-cosmos-db-emulator-docker/issues/121

We will investigate the internal server error.

xgerman avatar Nov 21 '24 16:11 xgerman

@xgerman actually accessing the certificate via the https://localhost:8081/_explorer/emulator.pem endpoint is pretty convenient. It is the approach used by Testcontainers Azure module which handles dynamically the fact that a new certificate ie generated every time a new CosmosDB container starts. Is is possible this feature to be added please?

kmandalas avatar Nov 23 '24 21:11 kmandalas

We will add this functionality.

xgerman avatar Dec 02 '24 17:12 xgerman

curl --insecure https://localhost:8081/_explorer/emulator.pem > ~/emulatorcert.crt Gives me atm a: curl: (35) error:0A00010B:SSL routines::wrong version number

I've SSL/wrong version number errors as well when trying to access the azure emulator using the vs code plugin. Is that issue related?

mkrueger avatar Dec 03 '24 11:12 mkrueger

@mkrueger we currently don't support that endpoint. Let me check with the VSCode team what is going on over there.

xgerman avatar Dec 05 '24 23:12 xgerman

@xgerman Any progress or proper documentation/sample when working with azure emulator image in docker compose?

If I generate self-signed certs trusted in mac, how would I be able to mount it to db container for consumption of dotnet/python/nodejs sdk

kimyu-ng avatar Jul 11 '25 16:07 kimyu-ng

The follwoing steps worked for me.

Run the following - openssl s_client -connect localhost:10003 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/emulator.crt

Importing CA cert into MacOS keychain - sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/emulator.crt

Mine is a .net app so I had to set up my cosmos client for local development as below. This set up works for me.


CosmosClientOptions cosmosLocalClientOptions = new()
 {
    HttpClientFactory = () =>
     {
      HttpMessageHandler handler = new HttpClientHandler()
      {
         ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => true
       };
          return new HttpClient(handler);
     },
        SerializerOptions = new CosmosSerializationOptions()
        {
           PropertyNamingPolicy = CosmosPropertyNamingPolicy.CamelCase,
         },
          ConnectionMode = ConnectionMode.Gateway,
          LimitToEndpoint = true
};
return new CosmosClient(configuration["db-connection-string"], cosmosLocalClientOptions);

Alternatively you could append the following to the default conn string to get around the cert install and set up. ;DisableServerCertificateValidation=True;

nagapguni avatar Nov 12 '25 10:11 nagapguni