C# 如何使用HTTPS和我自己的证书将Grpc(NuGet>;2.33)客户端(.NET Framework)与Grpc.Asp.NetCore(NuGet>;2.31)服务器(.NET 5.0)连接?
异常消息: Grpc.Core.rpceException:“状态(Status)(StatusCode=“Unavailable”,Detail=“无法连接到所有地址”,DebugException=“Grpc.Core.Internal.CoreErrorDetailException:{”已创建“@1606657072.668000000”,“说明”:“未能拾取子通道”,“文件”:”T:\src\github\grpc\workspace\u csharp\u ext\u windows\u x86\src\core\ext\filters\client\u channel\client\u channel.cc,“文件行”:4166,“引用的错误”:[{“创建”:“@1606657072.668000000”,“说明”:“无法连接到所有地址”,“文件”:T:\src\github\grpc\workspace\u csharp\u ext\u windows\u x86\src\core\ext\filters\client\u channel\lb\u policy\pick\u first\pick\u first.cc“,“文件行”:398,“grpc\u状态:14}]” 我已经创建了一个你可以轻松调整,玩,并回答这个问题,如果你成功地解决了这个问题 我发现问题出在我自己的证书上,我无法创建自己的证书,尝试了许多组合 我已使用此示例生成我的证书:C# 如何使用HTTPS和我自己的证书将Grpc(NuGet>;2.33)客户端(.NET Framework)与Grpc.Asp.NetCore(NuGet>;2.31)服务器(.NET 5.0)连接?,c#,.net,grpc,.net-5,.net-framework-4.8,C#,.net,Grpc,.net 5,.net Framework 4.8,异常消息: Grpc.Core.rpceException:“状态(Status)(StatusCode=“Unavailable”,Detail=“无法连接到所有地址”,DebugException=“Grpc.Core.Internal.CoreErrorDetailException:{”已创建“@1606657072.668000000”,“说明”:“未能拾取子通道”,“文件”:”T:\src\github\grpc\workspace\u csharp\u ext\u windows\
并在这个示例中对其进行了测试:问题在于证书及其CN=。CN=%COMPUTERNAME%必须是服务器DNS或IP,在我的情况下,它必须是本地主机,并且服务器需要具有密钥证书(pfx)。 主要的问题是,它抛出异常时没有相关的解释 客户:
//THIS IS YOUR CLIENT'S CERTIFICATE AND IT'S KEY
var keyCertPair = new KeyCertificatePair(File.ReadAllText($"{rootDir}/samplecert.pem.txt"), File.ReadAllText($"{rootDir}/samplecert.key.txt"));
//GetRootCertificates() GETS THE CA CERTIFICATE, NOT THE CLIENT CERTIFICATE NOR SERVER CERTIFICATE
var channelCreds = new SslCredentials(GetRootCertificates(), keyCertPair);
//YOU DON'T EVEN NEED TO PROVIDE KeyCertificatePair, IT WORKS WITH JUST A CA ROOT
var channelCreds = new SslCredentials(GetRootCertificates());
服务器:
//LoadSSLCertificate() GETS THE SERVER CERTIFICATE
var sslCertificate = LoadSSLCertificate();
o.ListenAnyIP(5001, listenOptions =>
{
listenOptions.UseHttps(sslCertificate, httpsOptions =>
{
httpsOptions.SslProtocols = SslProtocols.Tls12;
httpsOptions.ClientCertificateMode = ClientCertificateMode.NoCertificate;
httpsOptions.ClientCertificateValidation = (certificate, chain, errors) =>
{
return true;
//return certificate.Thumbprint.Equals(_clientThumbprint, StringComparison.OrdinalIgnoreCase);
};
});
});
证书创建:
@echo off
REM set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%COMPUTERNAME%"
echo Self-sign server certificate:
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%CLIENT-COMPUTERNAME%"
echo Self-sign client certificate:
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
echo Remove passphrase from client key:
openssl rsa -passin pass:1111 -in client.key -out client.key
echo Create server.pfx file:
openssl pkcs12 -export -passout pass:1111 -out server.pfx -inkey server.key -in server.crt
问题在于证书及其CN=。CN=%COMPUTERNAME%必须是服务器DNS或IP,在我的情况下,它必须是本地主机,并且服务器需要具有密钥证书(pfx)。 主要的问题是,它抛出异常时没有相关的解释 客户:
//THIS IS YOUR CLIENT'S CERTIFICATE AND IT'S KEY
var keyCertPair = new KeyCertificatePair(File.ReadAllText($"{rootDir}/samplecert.pem.txt"), File.ReadAllText($"{rootDir}/samplecert.key.txt"));
//GetRootCertificates() GETS THE CA CERTIFICATE, NOT THE CLIENT CERTIFICATE NOR SERVER CERTIFICATE
var channelCreds = new SslCredentials(GetRootCertificates(), keyCertPair);
//YOU DON'T EVEN NEED TO PROVIDE KeyCertificatePair, IT WORKS WITH JUST A CA ROOT
var channelCreds = new SslCredentials(GetRootCertificates());
服务器:
//LoadSSLCertificate() GETS THE SERVER CERTIFICATE
var sslCertificate = LoadSSLCertificate();
o.ListenAnyIP(5001, listenOptions =>
{
listenOptions.UseHttps(sslCertificate, httpsOptions =>
{
httpsOptions.SslProtocols = SslProtocols.Tls12;
httpsOptions.ClientCertificateMode = ClientCertificateMode.NoCertificate;
httpsOptions.ClientCertificateValidation = (certificate, chain, errors) =>
{
return true;
//return certificate.Thumbprint.Equals(_clientThumbprint, StringComparison.OrdinalIgnoreCase);
};
});
});
证书创建:
@echo off
REM set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%COMPUTERNAME%"
echo Self-sign server certificate:
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
echo Generate client key
openssl genrsa -passout pass:1111 -des3 -out client.key 4096
echo Generate client signing request:
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%CLIENT-COMPUTERNAME%"
echo Self-sign client certificate:
openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
echo Remove passphrase from client key:
openssl rsa -passin pass:1111 -in client.key -out client.key
echo Create server.pfx file:
openssl pkcs12 -export -passout pass:1111 -out server.pfx -inkey server.key -in server.crt
这回答了你的问题吗?不,它没有适用于此情况的答案。您是否打算使用客户端身份验证(mTLS)?(您的问题标题只提到一个证书)对于初学者,我需要任何使用HTTPS的解决方案,首先是最简单的解决方案,然后在此基础上构建。我需要这个例子来成功地使用HTTPS。我的目标是让一个应用程序拥有一个可以连接到我的服务的秘密。我不想让用户干预计算出这个秘密,因为它需要在任何用户干预之前工作,并且在任何PC上都不需要在该设备之前安装任何东西,而且我还希望能够使用我自己的证书,不受CA信任,我不需要。这是一个软件更新服务,软件更新解决方案类似于单击一次…这是否回答了您的问题?不,它没有适用于此情况的答案。您是否打算使用客户端身份验证(mTLS)?(您的问题标题只提到一个证书)对于初学者,我需要任何使用HTTPS的解决方案,首先是最简单的解决方案,然后在此基础上构建。我需要这个例子来成功地使用HTTPS。我的目标是让一个应用程序拥有一个可以连接到我的服务的秘密。我不想让用户干预计算出这个秘密,因为它需要在任何用户干预之前工作,并且在任何PC上都不需要在该设备之前安装任何东西,而且我还希望能够使用我自己的证书,不受CA信任,我不需要。这是一个软件更新服务,软件更新解决方案类似于点击一次。。。