gpt4 book ai didi

docker - ASP.NET Core Web API 客户端不信任 Identity Server 实例使用的自签名证书

转载 作者:行者123 更新时间:2023-12-02 18:03:34 24 4
gpt4 key购买 nike

这是 this question 的后续.
我使用以下脚本生成并信任了自签名证书:

#create a SAN cert for both host.docker.internal and localhost
#$cert = New-SelfSignedCertificate -DnsName "host.docker.internal", "localhost" -CertStoreLocation "cert:\LocalMachine\Root"
# does not work: New-SelfSignedCertificate : A new certificate can only be installed into MY store.
$cert = New-SelfSignedCertificate -DnsName "host.docker.internal", "localhost" -CertStoreLocation cert:\localmachine\my

#export it for docker container to pick up later
$password = ConvertTo-SecureString -String "password_here" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "$env:USERPROFILE\.aspnet\https\aspnetapp.pfx" -Password $password

# trust it on your host machine
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store [System.Security.Cryptography.X509Certificates.StoreName]::Root,"LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
访问时 https://host.docker.internal:5500/.well-known/openid-configurationhttps://localhost:5500/.well-known/openid-configuration在主机上,它按预期工作(证书没问题)。
但是,容器中运行的 Web API 应用程序对此并不满意:
web_api          | System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api | ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://host.docker.internal:5500/.well-known/openid-configuration'.
web_api | ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
web_api | ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
web_api | at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
API 的 docker-compose 文件如下(仅相关部分):
  web.api:
image: web_api_image
build:
context: .
dockerfile: ProjectApi/Dockerfile
environment:
- ASPNETCORE_ENVIRONMENT=ContainerDev
container_name: web_api
ports:
- "5600:80"
networks:
- backend
- data_layer
depends_on:
- identity.server
- mssqlserver
- web.cache

identity.server:
image: identity_server_image
build:
context: .
dockerfile: MyProject.IdentityServer/Dockerfile
environment:
- ASPNETCORE_ENVIRONMENT=ContainerDev
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=password_here
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
volumes:
- ~/.aspnet/https:/https:ro
container_name: identity_server
ports:
- "5500:443"
- "5501:80"
networks:
- backend
- data_layer
depends_on:
- mssqlserver
我怎样才能使这项工作?

对身份服务器的调用是通过在 API 客户端中设置安全性来使用它来完成的(没有显式的 HTTPS 调用):
/// <summary>
/// configures authentication and authorization
/// </summary>
/// <param name="services"></param>
/// <param name="configuration"></param>
public static void ConfigureSecurity(this IServiceCollection services, IConfiguration configuration)
{
string baseUrl = configuration.GetSection("Idam").GetValue<string>("BaseUrl");
Console.WriteLine($"Authentication server base URL = {baseUrl}");

services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(o =>
{
o.MetadataAddress = $"{baseUrl}/.well-known/openid-configuration";
o.Authority = "dev_identity_server";
o.Audience = configuration.GetSection("Idam").GetValue<string>("Audience");
o.RequireHttpsMetadata = false;
});

services.AddAuthorization();
}

身份服务器配置
public void ConfigureServices(IServiceCollection services)
{
string connectionStr = Configuration.GetConnectionString("Default");
Console.WriteLine($"[Identity server] Connection string = {connectionStr}");

services.AddDbContext<AppIdentityDbContext>(options => options.UseSqlServer(connectionStr));

services.AddTransient<AppIdentityDbContextSeedData>();


services.AddIdentity<AppUser, IdentityRole>()
.AddEntityFrameworkStores<AppIdentityDbContext>()
.AddDefaultTokenProviders();

services.AddIdentityServer(act =>
{
act.IssuerUri = "dev_identity_server";
})
.AddDeveloperSigningCredential()
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(Configuration.GetConnectionString("Default"));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
//.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(Configuration))
.AddAspNetIdentity<AppUser>();

services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"\\UNC-PATH"));

services.AddTransient<IProfileService, IdentityClaimsProfileService>();

services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()));

services.AddMvc(options =>
{
options.EnableEndpointRouting = false;
}).SetCompatibilityVersion(CompatibilityVersion.Latest);
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public static void Configure(IApplicationBuilder app, IWebHostEnvironment env,
ILoggerFactory loggerFactory, AppIdentityDbContextSeedData seeder)
{
seeder.SeedTestUsers();
IdentityModelEventSource.ShowPII = true;

if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}

app.UseExceptionHandler(builder =>
{
builder.Run(async context =>
{
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");

var error = context.Features.Get<IExceptionHandlerFeature>();
if (error != null)
{
context.Response.AddApplicationError(error.Error.Message);
await context.Response.WriteAsync(error.Error.Message).ConfigureAwait(false);
}
});
});

// app.UseHttpsRedirection();

app.UseStaticFiles();
app.UseCors("AllowAll");
app.UseIdentityServer();

app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}

最佳答案

几次尝试后,我放弃了让 docker 容器信任由 New-SelfSignedCertificate 生成的证书的尝试。 (您可以尝试让它工作 - 概念完全相同,只是证书在某种程度上有所不同)。然而,我确实在 OpenSSL 上取得了成功:

$certPass = "password_here"
$certSubj = "host.docker.internal"
$certAltNames = "DNS:localhost,DNS:host.docker.internal,DNS:identity_server" # i believe you can also add individual IP addresses here like so: IP:127.0.0.1
$opensslPath="path\to\openssl\binaries" #assuming you can download OpenSSL, I believe no installation is necessary
$workDir="path\to\your\project" # i assume this will be your solution root
$dockerDir=Join-Path $workDir "ProjectApi" #you probably want to check if my assumptions about your folder structure are correct

#generate a self-signed cert with multiple domains
Start-Process -NoNewWindow -Wait -FilePath (Join-Path $opensslPath "openssl.exe") -ArgumentList "req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ",
(Join-Path $workDir aspnetapp.key),
"-out", (Join-Path $dockerDir aspnetapp.crt),
"-subj `"/CN=$certSubj`" -addext `"subjectAltName=$certAltNames`""

# this time round we convert PEM format into PKCS#12 (aka PFX) so .net core app picks it up
Start-Process -NoNewWindow -Wait -FilePath (Join-Path $opensslPath "openssl.exe") -ArgumentList "pkcs12 -export -in ",
(Join-Path $dockerDir aspnetapp.crt),
"-inkey ", (Join-Path $workDir aspnetapp.key),
"-out ", (Join-Path $workDir aspnetapp.pfx),
"-passout pass:$certPass"

$password = ConvertTo-SecureString -String $certPass -Force -AsPlainText
$cert = Get-PfxCertificate -FilePath (Join-Path $workDir "aspnetapp.pfx") -Password $password

# and still, trust it on your host machine
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store [System.Security.Cryptography.X509Certificates.StoreName]::Root,"LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

我使用普通的 Ubuntu 镜像来测试这个 wget但快速检查表明 Microsoft 镜像将支持相同的构建步骤:
FROM ubuntu:14.04

RUN apt-get update \
&& apt-get install -y wget \
&& rm -rf /var/lib/apt/lists/*

USER root
###### you probably only care about the following three lines
ADD ./aspnetapp.crt /usr/local/share/ca-certificates/asp_dev/
RUN chmod -R 644 /usr/local/share/ca-certificates/asp_dev/
RUN update-ca-certificates --fresh
######

ENTRYPOINT tail -f /dev/null

我的 docker-compose和你的差不多。为了完整起见,我将在此处列出:

version: '3'
services:
web_api:
build: ./ProjectApi
container_name: web_api
ports:
- "5600:80"
depends_on:
- identity_server

identity_server:
image: mcr.microsoft.com/dotnet/core/samples:aspnetapp
environment:
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=password_here
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
volumes:
- ~/.aspnet/https/:/https/:ro
container_name: identity_server
ports:
- "5500:443"
- "5501:80"

综上所述,我还没有测试在容器上将实际的 .net 核心应用程序作为客户端运行 - 我的测试非常简单 wget https://identity_server.docker.internal命令行。

因此,您仍有可能遇到问题。这可能是因为某些应用程序使用了它们自己的受信任证书 - 请参阅此 SE thread了解更多背景信息。

但希望从这里开始会很顺利。

关于docker - ASP.NET Core Web API 客户端不信任 Identity Server 实例使用的自签名证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62065739/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com