我创建了一个 gRPC WebService (netcoreapp3.1),它托管在使用 C# 的 docker 容器中。它在本地运行良好。
我使用以下 dockerfile 进行 docker 构建:
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1
# USER ContainerAdministrator
WORKDIR /app
EXPOSE 443
WORKDIR /app
COPY publish .
ENTRYPOINT ["dotnet", "MyService.dll"]
在 Ubuntu 20.4 机器上,我通过以下方式启动容器
docker run --rm -it -p 32555:443 -e ASPNETCORE_URLS="https://+" -e ASPNETCORE_HTTPS_PORT=443 -e ASPNETCORE_Kestrel__Certificates__Default__Password=secretpassword -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx -v /home/user/.aspnet/https:/https/ myservice
这会产生以下输出
info: Microsoft.Hosting.Lifetime[0]
Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: /app
ourdomain.de.pfx 是我的管理员为我们的域创建的。
如果我从客户端调用服务,我会得到一个执行
Error on call 'CreateGaebAsync' with SSL certificate check: Status(StatusCode=Internal, Detail="Error starting gRPC call. HttpRequestException: The SSL connection could not be established, see inner exception. AuthenticationException: The remote certificate is invalid according to the validation procedure.")
为了获得更多信息,我向 GrpcChannel 添加了一个 HttpClientHandler
private GrpcChannel CreateGrpcChannelWithDangerousIgnoreSslCertificate()
{
var httpHandler = new HttpClientHandler();
httpHandler.ServerCertificateCustomValidationCallback = DangerousServerCertificateCustomValidationCallback;
var httpClient = new HttpClient(httpHandler);
return GrpcChannel.ForAddress(serviceUri, new GrpcChannelOptions() { HttpClient = httpClient });
}
private bool DangerousServerCertificateCustomValidationCallback(HttpRequestMessage arg1, X509Certificate2 arg2, X509Chain arg3, SslPolicyErrors arg4)
{
Console.WriteLine(arg1);
Console.WriteLine("X509Certificate2:");
Console.WriteLine(arg2);
Console.WriteLine("X509Chain:");
Console.WriteLine(arg3);
Console.WriteLine("SslPolicyErrors:");
Console.WriteLine(arg4);
// No check of Certificate is done so this will accept any response.
// For production this has to be fixed by acceptiong only valid SSL certificates!!!
return true;
}
验证回调生成以下输出
Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
Headers:
{
User-Agent: grpc-dotnet/2.29.0.0
TE: trailers
grpc-accept-encoding: identity,gzip
Transfer-Encoding: chunked
Content-Type: application/grpc
}
X509Certificate2:
[Subject]
CN=localhost
[Issuer]
CN=localhost
[Serial Number]
00F059E1CA7B219BF3
[Not Before]
09.06.2020 07:29:50
[Not After]
09.06.2021 07:29:50
[Thumbprint]
E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF
X509Chain:
System.Security.Cryptography.X509Certificates.X509Chain
SslPolicyErrors:
RemoteCertificateNameMismatch, RemoteCertificateChainErrors
我希望看到来自 ourdomain.de.pfx 的证书信息,但我得到的似乎暗示 ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx 给出的证书被忽略了?!
我几乎没有证书的经验...
如果我使用错误的密码或 pfx 的错误名称启动容器,我会收到相应的错误消息。所以在我看来,网络服务应该使用正确的。
因为我不确定是否必须设置容器内的端口(443)或主机的映射端口(32555),所以我改变了
ASPNETCORE_HTTPS_PORT=443
经过
ASPNETCORE_HTTPS_PORT=32555
当运行 docker 容器没有成功时。
你能解释一下,我错过了什么,好吗?
最佳答案
除了你自己,不要相信任何人。
我从原始文件重新生成了 ubuntu 主机上的 pfx,并且 SSL 连接按预期工作。
sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt
关于docker - docker 中的 ASP.net 核心 gRPC 服务回复错误的 ssl 证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62302000/