背景。我需要让我的网站通过IdentityServer(IDS)进行身份验证。 “ example.com”
我正在使用DotNetCore构建所有站点 使用apache将它们托管在代理服务器上,我们将其称为私有ip 12.3.4.5。
它们应该如何工作。我转到example.com网站,我应该能够与ids.exampe.com进行交流,以获取身份验证信息,然后使用身份验证令牌将其重新路由回example.com。相反,我收到一个SSL握手错误。见下文。
我正在特别寻求帮助,以使网站相互信任。
但是,如果我尝试直接进入IDS站点进行身份验证,那就没问题了!!金!如您所见,只有当我尝试在站点之间进行通信时,我才会遇到此问题。
An unhandled exception occurred while processing the request.
OpenSslCryptographicException: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
Unknown location
SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
Interop+OpenSsl.DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int
recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
AuthenticationException: Authentication failed, see inner exception.
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo
exception)
HttpRequestException: The SSL connection could not be established, see
inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream
stream, SslClientAuthenticationOptions sslOptions, CancellationToken
cancellationToken)
IOException: IDX20804: Unable to retrieve document from:
'https://ids.example.com/.well-known/openid-
configuration'.Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocu
mentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from:
'https://ids.example.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsyn c(CancellationToken cancel)
httpd.conf ::
# ServerRoot“ / etc / httpd” LoadModule proxy_module modules / mod_proxy.so LoadModule proxy_http_module模块/mod_proxy_http.so LoadModule ssl_module modules / mod_ssl.so
<VirtualHost *:*>
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
</VirtualHost>
<VirtualHost *:443>
ServerName ids.example.com
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5008/
ProxyPassReverse / http://x.x.x.x:5008/
</VirtualHost>
# Main Site VirtualHost
<VirtualHost *:443>
ServerName example.com
# SSL settings
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/httpd/ssl/example.key
SSLCertificateFile /etc/httpd/ssl/example.crt
# Client Verification
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/ssl/DoD_CAs.pem
RequestHeader set X-ARR-ClientCert "%{SSL_CLIENT_S_DN}s"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Redirects
ProxyPreserveHost on
ProxyPass / http://x.x.x.x:5022/
ProxyPassReverse / http://x.x.x.x:5022/
</VirtualHost>
答案 0 :(得分:0)
错误出在http.conf文件中
本应使用SSLCACertificateFile指令 SSLCACertificatePath指令...
基本上发生了什么事,我可以通过DOD CAC pki进行身份验证,但是一旦dot.net核心应用尝试从一个服务器发送到另一个服务器,由于站点使用自签名,它将出现握手错误证书我的证书一直以来都在正确的位置,但是它不信任它,因为SSLCACertificateFile指令说仅信任此文件,而不是信任此目录中的所有内容。
Also my network guy recomends that in the future, it's a best practice to use the
SSLCAcertificateFile, but to then combine your certs into one.
我真的希望这可以节省其他人我刚刚经历的事情……现在拍摄40个小时左右一直很麻烦。从配置文件来回,更改代码库...