c# - 使用公共(public)中间证书获取 Azure Function App 到 https(APIM) 端点调用的部分链异常

Question

我正在尝试在 Linux 操作系统中运行的 azure 函数应用程序(C#)中使用 HttpClient 进行 https 调用。

证书(.cer)是 CA 签名的中间证书(具有链到根证书)，上传到 Function App 的公共(public)证书中，以便在函数应用程序中使用。

这是我用来创建 HttpClient 的函数应用程序代码:

 static HttpClient GetHttpClient()
    {
        string certificatePath = "var/ssl/certs/certificatethumprint.der";          

        if (certificatePath == null) {
            throw new Exception("Environment Variable is null");
        }
        HttpClient httpClient = null;
        var bytes = File.ReadAllBytes(certificatePath);
        X509Certificate2 cert = new(bytes);
        handler = new HttpClientHandler();           
        handler.ClientCertificates.Add(cert);
        if (handler != null)
        {
            httpClient = new HttpClient(handler);
        }           
        return httpClient;
    }

这是使用 httpClient 的代码:

 static HttpClient httpClient = GetHttpClient();


 HttpRequestMessage httpWebRequest = GetHttpRequest(messageBody, log);
                HttpResponseMessage response = null;

                try {
                    response = await httpClient.SendAsync(httpWebRequest);
                }

Get HttpRequest 返回带有请求参数的 HttpRequest。

当我使用上面的代码时，我收到此异常:

Exception occurred during http call:The SSL connection could not be established, see inner exception.stackTrace: at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)at Function.FunctionApp.FunctionApp.Method(Parameter parameter) in /opt/vsts-agent-linux-x64-2.173.0.tar.gz/_work/1/s/Function/Function.FunctionApp/FunctionApp.cs:line 116type: System.Net.Http.HttpRequestExceptionInnerException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChainat System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)

异常消息:

无法建立 SSL 连接，请参阅内部异常。 ---> System.Security.Authentication.AuthenticationException:由于证书链中的错误，远程证书无效:PartialChain

我不想使用下面的代码强制验证证书，因为我需要在生产中部署它，并且这不是生产环境的最佳实践:

 handler = new HttpClientHandler
        {
            ClientCertificateOptions = ClientCertificateOption.Manual,
            ServerCertificateCustomValidationCallback =
            (httpRequestMessage, cert, cetChain, policyErrors) =>
            {
                return true; //Not a best practice/ not safe
            },
            SslProtocols = SslProtocols.Tls12
        };

任何建议/帮助将不胜感激。

根据建议，当我没有使用任何证书从客户端进行 https 调用时，我收到此异常:

Error when sending the http request: The SSL connection could not be established, see inner exception.Information2022-11-23 19:11:56.999System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request) at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessa

Answer 1

当您连接到安全服务器时，只有服务器需要证书。我不完全理解你对 HttpClient 和服务器做了什么，但至少在 GetHttpClient() 中，我认为不需要自己设置证书。希望这有帮助!