Azure HTTPS不适用于Kestrel 3.2.187/ASPNET Core 2.1.5,该版本在具有自定义域的服务结构上运行
我们正在远程开发集群上运行一个服务结构应用程序。它由几个有状态和无状态的服务组成,并由运行在Kestrel上的几个前端API提供支持 到目前为止,由于Kestrel未用于生产,因此它被配置为使用自签名证书,该证书也用于反向代理和群集本身,该服务直接在Azure提供的默认域上运行,Azure HTTPS不适用于Kestrel 3.2.187/ASPNET Core 2.1.5,该版本在具有自定义域的服务结构上运行,azure,ssl,asp.net-core,azure-service-fabric,kestrel-http-server,Azure,Ssl,Asp.net Core,Azure Service Fabric,Kestrel Http Server,我们正在远程开发集群上运行一个服务结构应用程序。它由几个有状态和无状态的服务组成,并由运行在Kestrel上的几个前端API提供支持 到目前为止,由于Kestrel未用于生产,因此它被配置为使用自签名证书,该证书也用于反向代理和群集本身,该服务直接在Azure提供的默认域上运行,.cloudapp.Azure.com 我们现在已经到了开发阶段,自签名证书错误变得有问题,第三方回调拒绝连接,因此现在被认为是开始为其使用适当的域和证书的时候了 到目前为止,我已经做了以下工作: 为devcluste
.cloudapp.Azure.com- 为
->我们的服务公共IP添加了A记录devcluster.somexampledomain.com - 为
创建了通配符Azure应用程序证书*.someexampledomain.com - 已将证书导入Azure密钥库
- 将证书绑定到群集的Vault机密,将证书拉到
Cert:/LocalMachine/My/ - 修改应用程序配置以在初始化Kestrel时使用此证书,并验证在初始化时找到该证书。
- 已尝试使用和不使用
和UseHsts()usehttpseredirection() - Kestrel在选项对象上配置了
和Listen(IPAddress.IPv6Any,endpoint.Port,…)UseHttps(X509Certificate2)
与默认Url一起使用,默认Url为UseUrls(string)
,但尝试手动添加https://+:
,甚至实际主机名本身https://*:
- 已尝试使用和不使用
openssl s_客户端-connect devcluster.someexampledomain.com:-prexit---
no peer certificate available
---
No client certificate CA names sent
---
Fiddler.network.https>https握手失败而结束。System.IO.IOException身份验证失败,因为远程方已关闭传输流。
有人知道如何在红隼一侧添加日志吗?我不认为在运行我的集群的Azure虚拟机上安装Fiddler是一个可行的解决方案。在深入研究Kestrel源代码后,我发现它记录在
“Microsoft AspNetCore Server Kestrel”“Microsoft Extensions Logging”System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint, Byte[] clientHello)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ApplyConnectionAdaptersAsync()
<Principals>
<Users>
<User Name="NETWORK SERVICE" AccountType="NetworkService" />
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="HttpsCert2" PrincipalRef="NETWORK SERVICE" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
<Certificates>
<SecretsCertificate X509FindValue="[HttpsCertThumbprint]" Name="HttpsCert" />
</Certificates>
SecurityAccessPolicyResourceRefSecretsCertificateSecretsCertificateEndpointCertificateEndpointBindingPolicyEndpointCertificateSecretsCertificateEndpointCertificate