Background. I need to get my site to authenticate through IdentityServer (IDS). "example.com"
I'm building all of my sites with DotNetCore Hosting them on a proxy server using apache let's call the private ip 12.3.4.5.
How they should work. I go to site example.com I should be able to talk to ids.exampe.com get authentication info and then be rerouted back to example.com with an auth token. Instead, I get a SSL handshake error. See below.
I'm specifically asking for help with getting the sites to trust one another.
However, if I try to authenticate by going directly to IDS site, no problem!! Golden! So as you can see, it's only when I try to communicate between sites that I get this issue.
An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location
SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo
exception)
HttpRequestException: The SSL connection could not be established, see
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream
stream, SslClientAuthenticationOptions sslOptions, CancellationToken
cancellationToken)
IOException: IDX20804: Unable to retrieve document from:
'https://ids.example.com/.well-known/openid-
configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu
mentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from:
'https://ids.example.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken cancel)
httpd.conf ::
# ServerRoot "/etc/httpd" LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so
<VirtualHost *:*>
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>
<VirtualHost *:443>
ServerName ids.example.com
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5008/
ProxyPassReverse / http://x.x.x.x:5008/
</VirtualHost>
# Main Site VirtualHost
<VirtualHost *:443>
ServerName example.com
# SSL settings
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
# Client Verification
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5022/
ProxyPassReverse / http://x.x.x.x:5022/
</VirtualHost>
The error was in the http.conf file
I was using the SSLCACertificateFile directive when I should have been using SSLCACertificatePath directive...
Basically what was happening was I could authenticate with a DOD CAC pki, but once the dot.net core app tried to send into from one sever to the other, it would get a handshake error because the sites were using a self signed cert. My cert was in the correct place all along, however it was not trusting it because the SSLCACertificateFile directive says only trust this, opposed to trust everything in this directory.
Also my network guy recomends that in the future, it's a best practice to use the
SSLCAcertificateFile, but to then combine your certs into one.
I really hope this will save someone else what I just went though... I have been trouble shooting this for 40 hours or so now. Going back and forth from config files, to code base changes...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.