apache - 无法验证身份服务器 SSL 握手错误

Question

背景。我需要让我的站点通过 IdentityServer (IDS) 进行身份验证。 “example.com”

我正在使用 DotNetCore 构建我所有的站点使用 apache 将它们托管在代理服务器上让我们调用私有(private) ip 12.3.4.5。

它们应该如何工作。我去网站 example.com 我应该能够与 ids.exampe.com 交谈以获取身份验证信息，然后使用身份验证 token 重新路由回 example.com。相反，我收到 SSL 握手错误。见下文。

我特意寻求帮助让网站相互信任。

但是，如果我尝试通过直接转到 IDS 站点进行身份验证，没问题!!金的!正如您所看到的，只有当我尝试在站点之间进行通信时才会遇到此问题。

An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL 
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location

SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int 
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)

AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken 
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo 
exception)

HttpRequestException: The SSL connection could not be established, see 
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream 
stream, SslClientAuthenticationOptions sslOptions, CancellationToken 
cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 
'https://ids.example.com/.well-known/openid-


 configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu 
mentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 
'https://ids.example.com/.well-known/openid-configuration'.

Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken取消)

httpd.conf::

# 服务器根“/etc/httpd” LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:*>
  RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>


<VirtualHost *:443>
 ServerName ids.example.com
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off

 SSLProxyCheckPeerExpire off

 SSLCertificateKeyFile /etc/httpd/ssl/example.key 
 SSLCertificateFile    /etc/httpd/ssl/example.crt
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 ProxyPreserveHost on

 ProxyPass                   /       http://x.x.x.x:5008/
 ProxyPassReverse         /       http://x.x.x.x:5008/

</VirtualHost>



 # Main Site VirtualHost
<VirtualHost *:443>
 ServerName example.com
# SSL settings
 SSLEngine on
 SSLProxyEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
 SSLProxyVerify none 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off
 SSLCertificateKeyFile /etc/httpd/ssl/example.key
 SSLCertificateFile    /etc/httpd/ssl/example.crt
# Client Verification
 SSLVerifyClient require
 SSLVerifyDepth 10
 SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
 RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
 ProxyPreserveHost on
 ProxyPass                /       http://x.x.x.x:5022/
 ProxyPassReverse         /       http://x.x.x.x:5022/
</VirtualHost>

Answer 1

错误在http.conf文件中

我本应使用 SSLCACertificateFile 指令SSLCACertificatePath 指令...

基本上发生的事情是我可以使用 DOD CAC pki 进行身份验证，但是一旦 dot.net 核心应用程序试图从一个服务器发送到另一个服务器，它就会出现握手错误，因为这些站点使用的是自签名证书。我的证书一直在正确的位置，但是它不信任它，因为 SSLCACertificateFile 指令说只信任这个，而不是信任这个目录中的所有内容。

Also my network guy recomends that in the future, it's a best practice to use the 
SSLCAcertificateFile, but to then combine your certs into one.

我真的希望这能为其他人节省我刚刚经历过的事情……我已经花了 40 个小时左右的时间来解决这个问题。从配置文件到代码库更改来回...