Linux容器中具有.NET Core HttpClient的远程证书无效 我有letsencrypt(*.stg.foo.com)颁发的通配符证书 运行在Nginx后面的docker容器中的两个.NET核心应用程序正在侦听admin.stg.foo.com和srv.stg.foo.com
到目前为止,此设置似乎按预期工作。我可以通过浏览器访问我的容器,并且证书有效 如果我从一个容器运行curl到另一个容器,它将按预期工作Linux容器中具有.NET Core HttpClient的远程证书无效 我有letsencrypt(*.stg.foo.com)颁发的通配符证书 运行在Nginx后面的docker容器中的两个.NET核心应用程序正在侦听admin.stg.foo.com和srv.stg.foo.com,linux,docker,ssl,.net-core,Linux,Docker,Ssl,.net Core,到目前为止,此设置似乎按预期工作。我可以通过浏览器访问我的容器,并且证书有效 如果我从一个容器运行curl到另一个容器,它将按预期工作 curl https://admin.stg.foo.com/ -v ALPN, offering h2 ... ALPN, offering http/1.1 successfully set certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CAp
curl https://admin.stg.foo.com/ -v
ALPN, offering h2
...
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use h2
Server certificate:
subject: CN=.stg.foo.com
start date: Jul 8 04:50:10 2020 GMT
expire date: Oct 6 04:50:10 2020 GMT
subjectAltName: host "admin.stg.foo.com" matched cert's "*.stg.foo.com"
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
SSL certificate verify ok.
如果我尝试使用HttpClient从docker容器执行相同的请求,则证书验证将失败,原因是:
根据验证过程,远程证书无效:
Unhandled exception. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
测试代码:
using (HttpClient client = new HttpClient())
{
var result = await client.GetAsync("https://admin.stg.foo.com/.well-known/openid-configuration");
Console.WriteLine(await result.Content.ReadAsStringAsync());
result.EnsureSuccessStatusCode();
}
在Windows计算机上运行的相同请求也可以工作
除了curl(/etc/ssl/certs)之外,.NET是否为证书使用另一个文件夹?
是否有更多日志用于调试.Net核心证书错误
设置:
.NET Core 3.1.5
Ubuntu 20.04 LTS
谢谢你的帮助
编辑:
using (HttpClient client = new HttpClient())
{
var result = await client.GetAsync("https://admin.stg.foo.com/.well-known/openid-configuration");
Console.WriteLine(await result.Content.ReadAsStringAsync());
result.EnsureSuccessStatusCode();
}
发现类似问题:能否附加完整的stacktrace,此错误看起来与此非常相似,