[英]Can't authenticate to Identity server SSL handshake error
背景。 我需要通過IdentityServer(IDS)讓我的站點進行身份驗證。 “example.com”
我正在使用DotNetCore構建我的所有站點使用apache將它們托管在代理服務器上讓我們調用私有ip 12.3.4.5。
他們應該如何工作。 我去網站example.com我應該能夠與ids.exampe.com交談獲取身份驗證信息,然后使用身份驗證令牌重新路由回example.com。 相反,我收到SSL握手錯誤。 見下文。
我特別要求幫助讓網站互相信任。
但是,如果我嘗試通過直接訪問IDS網站進行身份驗證,沒問題! 金! 正如您所看到的,只有當我嘗試在站點之間進行通信時才能解決此問題。
An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location
SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo
exception)
HttpRequestException: The SSL connection could not be established, see
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream
stream, SslClientAuthenticationOptions sslOptions, CancellationToken
cancellationToken)
IOException: IDX20804: Unable to retrieve document from:
'https://ids.example.com/.well-known/openid-
configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu
mentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from:
'https://ids.example.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken取消)
httpd.conf ::
#ServerRoot“/ etc / httpd”LoadModule proxy_module modules / mod_proxy.so LoadModule proxy_http_module modules / mod_proxy_http.so LoadModule ssl_module modules / mod_ssl.so
<VirtualHost *:*>
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>
<VirtualHost *:443>
ServerName ids.example.com
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5008/
ProxyPassReverse / http://x.x.x.x:5008/
</VirtualHost>
# Main Site VirtualHost
<VirtualHost *:443>
ServerName example.com
# SSL settings
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
# Client Verification
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5022/
ProxyPassReverse / http://x.x.x.x:5022/
</VirtualHost>
錯誤發生在http.conf文件中
當我應該使用SSLCACertificatePath指令時,我正在使用SSLCACertificateFile指令...
基本上發生的事情是我可以使用DOD CAC pki進行身份驗證,但是一旦dot.net核心應用程序嘗試從一個服務器發送到另一個服務器,它將獲得握手錯誤,因為這些站點使用的是自簽名證書。 我的證書一直在正確的位置,但是它不信任它,因為SSLCACertificateFile指令只表示信任,反對信任此目錄中的所有內容。
Also my network guy recomends that in the future, it's a best practice to use the
SSLCAcertificateFile, but to then combine your certs into one.
我真的希望這會拯救別人我剛剛去過的地方......我現在已經困難了40個小時。 從配置文件來回轉換到代碼庫更改......
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.