400 使用 Terraform 设置 mTLS 的 Azure 应用程序网关出现 SSL 证书错误400 SSL 证书错误

Question

我尝试使用 Azure 应用程序网关设置 mTLS。不幸的是我总是收到错误

<html>
<head><title>400 The SSL certificate error</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>Microsoft-Azure-Application-Gateway/v2</center>
</body>
</html>

在网关日志中，我可以看到连接尝试，但没有任何错误。 curl 或浏览器也不提供任何有用的日志。我还检查了

openssl verify -CAfile ca.pem client.pem

，证书签名是否与 CA 匹配（结果

OK

）。

我通过 Terraform 设置它：

根CA

resource "tls_private_key" "gateway_mtls_root_ca_private_key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "tls_self_signed_cert" "gateway_mtls_root_ca" {
  private_key_pem = tls_private_key.gateway_mtls_root_ca_private_key.private_key_pem

  subject {
    common_name  = "root-ca"
    organization = "test"
  }

  validity_period_hours = 24 * 90 # 3 months for testing phase
  is_ca_certificate     = true

  allowed_uses = [
    "cert_signing",
    "crl_signing",
    "digital_signature"
  ]
}

客户证书

resource "tls_private_key" "gateway_mtls_client_cert_private_key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "tls_cert_request" "gateway_mtls_client_cert_request" {
  private_key_pem = tls_private_key.gateway_mtls_client_cert_private_key.private_key_pem

  subject {
    common_name  = "client"
    organization = "test"
  }
}

resource "tls_locally_signed_cert" "gateway_mtls_client_cert" {
  cert_request_pem   = tls_cert_request.gateway_mtls_client_cert_request.cert_request_pem
  ca_private_key_pem = tls_private_key.gateway_mtls_root_ca_private_key.private_key_pem
  ca_cert_pem        = tls_self_signed_cert.gateway_mtls_root_ca.cert_pem

  validity_period_hours = 24 * 30 # 1 month for testing

  allowed_uses = [
    "client_auth",
    "key_encipherment",
    "digital_signature",
  ]
}

应用网关

resource "azurerm_application_gateway" "container_gateway" {
  name                = "test-gateway"
  location            = var.resource_group_region
  resource_group_name = var.resource_group_name

  sku {
    name     = "Standard_v2"
    tier     = "Standard_v2"
    capacity = 2
  }

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.gateway_identity.id
    ]
  }

  gateway_ip_configuration {
    name      = local.gateway_ip_config_name
    subnet_id = var.gateway_subnet_ids[0]
  }

  backend_address_pool {
    name         = local.gateway_backend_pool_name
    ip_addresses = var.container_group_ip_addresses
  }

  backend_http_settings {
    name                  = local.gateway_backend_settings
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 20
  }

  frontend_ip_configuration {
    name                 = local.gateway_ip_config_name
    public_ip_address_id = azurerm_public_ip.container_pip.id
  }


  frontend_port {
    name = local.gateway_frontend_https_port_name
    port = 443
  }

  http_listener {
    name                           = local.gateway_https_listener_name
    frontend_ip_configuration_name = local.gateway_ip_config_name
    frontend_port_name             = local.gateway_frontend_https_port_name
    protocol                       = "Https"
    ssl_certificate_name           = local.gateway_ssl_certificate_name
    ssl_profile_name               = local.gateway_ssl_profile_name
  }

  request_routing_rule {
    name               = local.gateway_https_path_based_rules_name
    rule_type          = "PathBasedRouting"
    http_listener_name = local.gateway_https_listener_name
    url_path_map_name  = local.gateway_url_path_map_name

    priority = 1000
  }

  url_path_map {
    name                               = local.gateway_url_path_map_name
    default_backend_address_pool_name  = local.gateway_backend_pool_name
    default_backend_http_settings_name = local.gateway_backend_settings

    path_rule {
      name                       = "test"
      paths                      = ["/*"]
      backend_address_pool_name  = local.gateway_backend_pool_name
      backend_http_settings_name = local.gateway_backend_settings
    }
  }

  ssl_certificate {
    name                = local.gateway_ssl_certificate_name
    key_vault_secret_id = azurerm_key_vault_certificate.gateway_server_certificate.secret_id
  }

  ssl_policy {
    policy_type = "Predefined"
    policy_name = "AppGwSslPolicy20220101"
  }

  trusted_client_certificate {
    name = local.gateway_trusted_client_certificate_name
    data = tls_self_signed_cert.gateway_mtls_root_ca.cert_pem
  }

  ssl_profile {
    name                                 = local.gateway_ssl_profile_name
    trusted_client_certificate_names     = [local.gateway_trusted_client_certificate_name]
    verify_client_certificate_revocation = "OCSP"

    ssl_policy {
      policy_type = "Predefined"
      policy_name = "AppGwSslPolicy20220101"
    }
  }
}

您知道这个设置可能有什么问题吗？或者在哪里可以找到更多有用的日志来分析它？谢谢！