Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
docker中的ASP.net核心gRPC服务使用错误的ssl证书答复_Docker_Ssl_Certificate_Grpc - Fatal编程技术网
Fatal编程技术网
  • docker/
  • docker中的ASP.net核心gRPC服务使用错误的ssl证书答复

docker中的ASP.net核心gRPC服务使用错误的ssl证书答复

docker ssl certificate

docker中的ASP.net核心gRPC服务使用错误的ssl证书答复,docker,ssl,certificate,grpc,Docker,Ssl,Certificate,Grpc,我创建了一个GRPCWebService(netcoreapp3.1),它托管在带有C#的docker容器中。它在本地运行良好。 我使用以下dockerfile进行docker构建: FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 # USER ContainerAdministrator WORKDIR /app EXPOSE 443 WORKDIR /app COPY publish . ENTRYPOINT ["dotnet", "MySer

我创建了一个GRPCWebService(netcoreapp3.1),它托管在带有C#的docker容器中。它在本地运行良好。 我使用以下dockerfile进行docker构建:

FROM mcr.microsoft.com/dotnet/core/aspnet:3.1
# USER ContainerAdministrator
WORKDIR /app
EXPOSE 443

WORKDIR /app
COPY publish .

ENTRYPOINT ["dotnet", "MyService.dll"]
在Ubuntu 20.4机器上,我通过

docker run --rm -it -p 32555:443 -e ASPNETCORE_URLS="https://+" -e ASPNETCORE_HTTPS_PORT=443 -e ASPNETCORE_Kestrel__Certificates__Default__Password=secretpassword -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx  -v /home/user/.aspnet/https:/https/ myservice
这将产生以下输出

info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app

Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
    Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
 Headers: 
 { 
   User-Agent:    grpc-dotnet/2.29.0.0 
   TE: trailers 
   grpc-accept-encoding: identity,gzip 
   Transfer-Encoding: chunked 
   Content-Type: application/grpc 
 } 
 X509Certificate2:
 [Subject] 
   CN=localhost 
 [Issuer] 
   CN=localhost 
 [Serial Number]
   00F059E1CA7B219BF3 
 [Not Before]
   09.06.2020 07:29:50 
 [Not After]
   09.06.2021 07:29:50 
 [Thumbprint]
   E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF 
X509Chain: 
System.Security.Cryptography.X509Certificates.X509Chain 
SslPolicyErrors: 
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
ourdomain.de.pfx是由我的管理员为我们的域创建的。 如果我从客户端调用服务,我会得到一个execption

使用SSL证书检查调用“CreateGaebAsync”时出错: 状态(StatusCode=Internal,Detail=“启动gRPC调用时出错。 HttpRequestException:无法建立SSL连接,请参阅 内部异常。AuthenticationException:远程证书为 根据验证程序无效。”)

为了获得更多信息,我在GrpcChannel中添加了一个HttpClientHandler

    private GrpcChannel CreateGrpcChannelWithDangerousIgnoreSslCertificate()
            {
                var httpHandler = new HttpClientHandler();
                httpHandler.ServerCertificateCustomValidationCallback = DangerousServerCertificateCustomValidationCallback;
                var httpClient = new HttpClient(httpHandler);
                return GrpcChannel.ForAddress(serviceUri, new GrpcChannelOptions() { HttpClient = httpClient });
            }
    private bool DangerousServerCertificateCustomValidationCallback(HttpRequestMessage arg1, X509Certificate2 arg2, X509Chain arg3, SslPolicyErrors arg4)
        {
            Console.WriteLine(arg1);
            Console.WriteLine("X509Certificate2:");
            Console.WriteLine(arg2);
            Console.WriteLine("X509Chain:");
            Console.WriteLine(arg3);
            Console.WriteLine("SslPolicyErrors:");
            Console.WriteLine(arg4);
            // No check of Certificate is done so this will accept any response.
            // For production this has to be fixed by acceptiong only valid SSL certificates!!!
            return true;
        }
验证回调生成以下输出

info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app

Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
    Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
 Headers: 
 { 
   User-Agent:    grpc-dotnet/2.29.0.0 
   TE: trailers 
   grpc-accept-encoding: identity,gzip 
   Transfer-Encoding: chunked 
   Content-Type: application/grpc 
 } 
 X509Certificate2:
 [Subject] 
   CN=localhost 
 [Issuer] 
   CN=localhost 
 [Serial Number]
   00F059E1CA7B219BF3 
 [Not Before]
   09.06.2020 07:29:50 
 [Not After]
   09.06.2021 07:29:50 
 [Thumbprint]
   E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF 
X509Chain: 
System.Security.Cryptography.X509Certificates.X509Chain 
SslPolicyErrors: 
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
我希望看到来自ourdomain.de.pfx的证书信息,但我得到的似乎暗示在ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx上给出的证书被忽略了?! 我几乎没有证书方面的经验。。。 如果使用错误的密码或pfx的错误名称启动容器,则会收到相应的错误消息。所以在我看来,Web服务应该使用正确的。 因为我不确定是否必须在容器(443)内设置端口或主机的映射端口(32555),所以我更改了

 ASPNETCORE_HTTPS_PORT=443

运行docker容器时未成功。
你能解释一下我遗漏了什么吗?

除了你自己,不要相信任何人

我从原始文件在ubuntu主机上重新生成了pfx,SSL连接按预期工作

sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt
在我的示例中,ASPNETCORE_HTTPS_端口必须是32555。这是主机上重定向到容器端口443的端口。