[英]Self signed certificates don't work with self hosted Gateway
我遵循了中提到的步驟: https : //docs.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway
並將自簽名證書作為 pfx 文件添加到 azure apim。 然后我使用了這個 Rest API: https ://docs.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#:~: text= Gateway%20Certificate%20Authority% 20- %20創建%20或%20更新
將證書連接到自托管網關,然后向我的 API 添加策略,如本頁所示: https : //docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-政策#validate-client-certificate
證書是使用以下工作流程創建的:
pwd='Pa$$w0rd'
pfxFilePath='selfsigncert.pfx'
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out selfsigncert.crt -subj /CN=localhost
openssl pkcs12 -export -out $pfxFilePath -inkey privateKey.key -in selfsigncert.crt -password pass:$pwd
openssl pkcs12 -in selfsigncert.pfx -out selfsigncert.pem -nodes
出於測試目的禁用了密鑰身份驗證。
現在的問題是,如果我嘗試使用 curl 訪問我的自托管網關,則它不起作用。 根據我使用的 curl 版本,我收到不同的錯誤消息:
curl 的預裝版本:
C:\path>curl -v https://localhost:80/echo/resource?param1=sample --cert-type pem --cert selfsigncert.pem --tls-max 1.2
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
* schannel: SSL/TLS connection with localhost port 80 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with localhost port 80 (step 2/3)
* schannel: encrypted data got 120
* schannel: encrypted data buffer: offset 120 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
* Closing connection 0
* schannel: shutting down SSL/TLS connection with localhost port 80
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
和最新版本的 curl:
C:\curl\bin>curl -v https://localhost:80/echo/resource?param1=sample --cert-type pem --cert selfsigncert.pem --tls-max 1.2
* Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: C:\curl\bin\curl-ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number
謝謝您的幫助。
解決方案是在創建證書期間提供正確的通用名稱/DNS 名稱。 之后,必須在自托管網關的網關面板內創建網關主機名並添加上傳的證書,然后選中復選框協商客戶端證書。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.