根据SqlClient的验证过程,远程证书无效

时间:2019-09-19 06:02:45

标签: kubernetes .net-core google-kubernetes-engine

我正在使用MyHealthClinic应用程序(https://azuredevopslabs.com/labs/vstsextend/kubernetes/),它是.NET Core前端和后端Kubernetes群集,并部署到Google Kubernetes Engine尝试连接到SQL Server VM,但收到CrashLoopBackOff错误提取我推送的图片后,pod尝试启动时:

Unhandled Exception: System.Data.SqlClient.SqlException: A connection was successfully 
established with the server, but then an error occurred during the pre-login handshake. 
(provider: TCP Provider, error: 35 - An internal exception was caught) ---> 
System.Security.Authentication.AuthenticationException: The remote certificate is invalid 
according to the validation procedure. at 
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken ...

我已经检查了我的appsettings.json,并且似乎设置为:

"DefaultConnection": "Server={my-external-IP},1433;Initial Catalog=mhcdb;Persist Security Info=False;User ID={sqlusername};Password={sqlpassword};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"

我也确认了:

  • 可从前端群集和本地计算机上的所有外部IP访问SQL VM
  • 计算机上的防火墙和VPC网络的防火墙允许使用端口1433
  • 我可以使用与SQL VM和凭据相同的IP从本地计算机成功连接
  • 连接字符串的IP指定为不带http / https

还有其他地方可以检查并尝试解决此问题吗?我能够将群集无问题地部署到Azure中的AKS,但不确定GKE是否可能阻止群集的出站连接。到目前为止,我发现的唯一类似问题与SMTP服务器有关。我对GKE有点陌生,所以任何想法都会有所帮助。

如果有帮助,这是我的部署YAML文件(对于AKS集群保持相同,因此不确定是否需要专门针对GKE进行更改):

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: mhc-back
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mhc-back
    spec:
      containers:
      - name: mhc-back
        image: redis
        ports:
        - containerPort: 6379
          name: redis

---

apiVersion: v1
kind: Service
metadata:
  name: mhc-back
spec:
  ports:
  - port: 6379
  selector:
    app: mhc-back

---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: mhc-front
spec:
  replicas: 1
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5 
  template:
    metadata:
      labels:
        app: mhc-front
    spec:
      containers:
      - name: mhc-front
        image: {gcr.io/[Project-Id]}/myhealth.web:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
        resources:
          requests:
            cpu: 250m
          limits:
            cpu: 500m
        env:
        - name: REDIS
          value: "mhc-back"

---

apiVersion: v1
kind: Service
metadata:
  name: mhc-front
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: mhc-front

1 个答案:

答案 0 :(得分:0)

开始研究为什么远程证书(SQL)无效后,我将连接字符串更改为包括TrustServerCertificate = True。由于这是一个演示环境,并且我保持Encrypt = True,所以看起来这可以解决所有问题!如果有人认为绕过服务器证书行事是个坏主意,请告诉我。 

"DefaultConnection": "Server={my-external-IP},1433;Initial Catalog=mhcdb;Persist Security Info=False;User ID={sqlusername};Password={sqlpassword};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;"
相关问题
最新问题