我总是在客户端 WebApp 上收到以下错误(作为单独的 Linux docker 映像端口 4443 运行):
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:8443/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
它连接到我的 IdentityServer4(作为单独的 Linux docker 映像端口 4444 运行)。 在 IS4 Startup.cs 中,我创建了以下代码的证书:
...
var idpUri = configuration["AppConfig:IdentityProviderUrl"];
var dnsName = new Uri(idpUri).DnsSafeHost;
var cert = new X509Certificate2(Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(),"certificate.pfx")));
var builder = services.AddIdentityServer(options => {
options.IssuerUri = idpUri;
}).AddSigningCredential(cert); //A self-signed PFX certificate located in the root of the IS4 and also copied in de client app used for Kestrel cert.
...
在我的客户端WebApp中,我插入以下代码来设置权限:
string identityProviderUrl = Configuration.GetValue<string>("AppConfig:IdentityProviderUrl");
services.AddHttpClient(AUTHORIZATION_SERVICE_CLIENT_NAME, client => {
client.BaseAddress = new Uri(identityProviderUrl);
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
});
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options => { //NOTE: I don't know if this is needed
options.Authority = identityProviderUrl;
options.TokenValidationParameters = new TokenValidationParameters {
ValidateAudience = false
};
});
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => {
options.Authority = identityProviderUrl;
options.ClientId = oidcClientId;
options.ClientSecret = oidcClientSecret;
...
});
我认为我正在创建的证书存在问题,该证书不在两个 docker 映像上。但是 Docker 容器都使用 HTTPS 运行,否则根本无法启动。我在这里缺少什么?
让我们按照下面评论中的建议通过 LetsEncrypt 来完成此操作。 我下载并运行这个项目(src:https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples/ACMECLI) 设置以下属性:
public string CaName { get; } = Constants.LetsEncryptStagingName;
public IEnumerable<string> Email { get; } = new string[] { "[email protected]" };
public bool AcceptTos { get; } = true;
public IEnumerable<string> Dns { get; } = new string[] { "xxx.duckdns.org" };
public (bool enabled, int? timeout) WaitForAuthz { get; } = (true, 300);
public bool Finalize { get; } = true;
public string ExportPfx { get; } = @"c:\tmp\certificate.pfx";
public string ExportPfxPassword { get; } = " ";
但它仍然悬而未决,已经几天了。什么时候有效我不知道。
您无法拥有 HTTPS 自签名证书,而是获取真实证书,或者必须将证书添加到客户端信任的证书存储中。
问题在于客户端不信任在尝试建立安全通道时收到的证书。
在内部正确使用 HTTPS 是容器之间的最佳实践。
要在 ASP.NET Core 中支持 HTTPS,请参阅这篇文章:
今天我也很受欢迎以LetsEncrypt形式获取您的证书。使用它们可以让您自动创建证书。