docker中的ASP.net核心gRPC服务使用错误的ssl证书答复
我创建了一个GRPCWebService(netcoreapp3.1),它托管在带有C#的docker容器中。它在本地运行良好。 我使用以下dockerfile进行docker构建:docker中的ASP.net核心gRPC服务使用错误的ssl证书答复,docker,ssl,certificate,grpc,Docker,Ssl,Certificate,Grpc,我创建了一个GRPCWebService(netcoreapp3.1),它托管在带有C#的docker容器中。它在本地运行良好。 我使用以下dockerfile进行docker构建: FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 # USER ContainerAdministrator WORKDIR /app EXPOSE 443 WORKDIR /app COPY publish . ENTRYPOINT ["dotnet", "MySer
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1
# USER ContainerAdministrator
WORKDIR /app
EXPOSE 443
WORKDIR /app
COPY publish .
ENTRYPOINT ["dotnet", "MyService.dll"]
在Ubuntu 20.4机器上,我通过
docker run --rm -it -p 32555:443 -e ASPNETCORE_URLS="https://+" -e ASPNETCORE_HTTPS_PORT=443 -e ASPNETCORE_Kestrel__Certificates__Default__Password=secretpassword -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx -v /home/user/.aspnet/https:/https/ myservice
这将产生以下输出
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: /app
Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
Headers:
{
User-Agent: grpc-dotnet/2.29.0.0
TE: trailers
grpc-accept-encoding: identity,gzip
Transfer-Encoding: chunked
Content-Type: application/grpc
}
X509Certificate2:
[Subject]
CN=localhost
[Issuer]
CN=localhost
[Serial Number]
00F059E1CA7B219BF3
[Not Before]
09.06.2020 07:29:50
[Not After]
09.06.2021 07:29:50
[Thumbprint]
E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF
X509Chain:
System.Security.Cryptography.X509Certificates.X509Chain
SslPolicyErrors:
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
ourdomain.de.pfx是由我的管理员为我们的域创建的。
如果我从客户端调用服务,我会得到一个execption
使用SSL证书检查调用“CreateGaebAsync”时出错:
状态(StatusCode=Internal,Detail=“启动gRPC调用时出错。
HttpRequestException:无法建立SSL连接,请参阅
内部异常。AuthenticationException:远程证书为
根据验证程序无效。”)
为了获得更多信息,我在GrpcChannel中添加了一个HttpClientHandler
private GrpcChannel CreateGrpcChannelWithDangerousIgnoreSslCertificate()
{
var httpHandler = new HttpClientHandler();
httpHandler.ServerCertificateCustomValidationCallback = DangerousServerCertificateCustomValidationCallback;
var httpClient = new HttpClient(httpHandler);
return GrpcChannel.ForAddress(serviceUri, new GrpcChannelOptions() { HttpClient = httpClient });
}
private bool DangerousServerCertificateCustomValidationCallback(HttpRequestMessage arg1, X509Certificate2 arg2, X509Chain arg3, SslPolicyErrors arg4)
{
Console.WriteLine(arg1);
Console.WriteLine("X509Certificate2:");
Console.WriteLine(arg2);
Console.WriteLine("X509Chain:");
Console.WriteLine(arg3);
Console.WriteLine("SslPolicyErrors:");
Console.WriteLine(arg4);
// No check of Certificate is done so this will accept any response.
// For production this has to be fixed by acceptiong only valid SSL certificates!!!
return true;
}
验证回调生成以下输出
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: /app
Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
Headers:
{
User-Agent: grpc-dotnet/2.29.0.0
TE: trailers
grpc-accept-encoding: identity,gzip
Transfer-Encoding: chunked
Content-Type: application/grpc
}
X509Certificate2:
[Subject]
CN=localhost
[Issuer]
CN=localhost
[Serial Number]
00F059E1CA7B219BF3
[Not Before]
09.06.2020 07:29:50
[Not After]
09.06.2021 07:29:50
[Thumbprint]
E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF
X509Chain:
System.Security.Cryptography.X509Certificates.X509Chain
SslPolicyErrors:
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
我希望看到来自ourdomain.de.pfx的证书信息,但我得到的似乎暗示在ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx上给出的证书被忽略了?!
我几乎没有证书方面的经验。。。
如果使用错误的密码或pfx的错误名称启动容器,则会收到相应的错误消息。所以在我看来,Web服务应该使用正确的。
因为我不确定是否必须在容器(443)内设置端口或主机的映射端口(32555),所以我更改了
ASPNETCORE_HTTPS_PORT=443
借
运行docker容器时未成功。
你能解释一下我遗漏了什么吗?除了你自己,不要相信任何人 我从原始文件在ubuntu主机上重新生成了pfx,SSL连接按预期工作
sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt
在我的示例中,ASPNETCORE_HTTPS_端口必须是32555。这是主机上重定向到容器端口443的端口。