ASP.net核心gRPC服务在码头用错误的gRPC证书应答

Question

我创建了一个gRPC WebService (netcoreapp3.1)，它托管在带有C#的坞容器中。它在当地运行良好。我使用以下dockerfile构建了一个码头：

FROM mcr.microsoft.com/dotnet/core/aspnet:3.1
# USER ContainerAdministrator
WORKDIR /app
EXPOSE 443

WORKDIR /app
COPY publish .

ENTRYPOINT ["dotnet", "MyService.dll"]

在Ubuntu20.4机器上，我通过

docker run --rm -it -p 32555:443 -e ASPNETCORE_URLS="https://+" -e ASPNETCORE_HTTPS_PORT=443 -e ASPNETCORE_Kestrel__Certificates__Default__Password=secretpassword -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx  -v /home/user/.aspnet/https:/https/ myservice

产生以下输出的

info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app

ourdomain.de.pfx是由我的管理员为我们的域创建的。如果我从客户端调用服务，我会得到一个请求。

使用SSL证书检查的

CreateGaebAsync错误:状态(StatusCode=Internal，Detail=“启动gRPC调用的错误。HttpRequestException:无法建立SSL连接，请参阅内部异常。AuthenticationException:根据验证过程，远程证书无效。”)

为了获得更多的信息，我在GrpcChannel中添加了一个GrpcChannel

    private GrpcChannel CreateGrpcChannelWithDangerousIgnoreSslCertificate()
            {
                var httpHandler = new HttpClientHandler();
                httpHandler.ServerCertificateCustomValidationCallback = DangerousServerCertificateCustomValidationCallback;
                var httpClient = new HttpClient(httpHandler);
                return GrpcChannel.ForAddress(serviceUri, new GrpcChannelOptions() { HttpClient = httpClient });
            }
    private bool DangerousServerCertificateCustomValidationCallback(HttpRequestMessage arg1, X509Certificate2 arg2, X509Chain arg3, SslPolicyErrors arg4)
        {
            Console.WriteLine(arg1);
            Console.WriteLine("X509Certificate2:");
            Console.WriteLine(arg2);
            Console.WriteLine("X509Chain:");
            Console.WriteLine(arg3);
            Console.WriteLine("SslPolicyErrors:");
            Console.WriteLine(arg4);
            // No check of Certificate is done so this will accept any response.
            // For production this has to be fixed by acceptiong only valid SSL certificates!!!
            return true;
        }

验证回调将生成以下输出

Method: POST, RequestUri: 'https://computername.ourdomain.de:32555/mysvc.TextService/CreateText',
    Version: 2.0, Content: Grpc.Net.Client.Internal.PushUnaryContent`2[MyService.CreateTextRequest,MyService.CraeteTextReply],
 Headers: 
 { 
   User-Agent:    grpc-dotnet/2.29.0.0 
   TE: trailers 
   grpc-accept-encoding: identity,gzip 
   Transfer-Encoding: chunked 
   Content-Type: application/grpc 
 } 
 X509Certificate2:
 [Subject] 
   CN=localhost 
 [Issuer] 
   CN=localhost 
 [Serial Number]
   00F059E1CA7B219BF3 
 [Not Before]
   09.06.2020 07:29:50 
 [Not After]
   09.06.2021 07:29:50 
 [Thumbprint]
   E272ACFB1C55B28A6ED08A0AFD2F7D97801447AF 
X509Chain: 
System.Security.Cryptography.X509Certificates.X509Chain 
SslPolicyErrors: 
RemoteCertificateNameMismatch, RemoteCertificateChainErrors

我希望看到来自ASPNETCORE_Kestrel__Certificates__Default__Path=/https/ourdomain.de.pfx的证书信息，但是我得到的信息似乎意味着在ourdomain.de.pfx上提供的证书被忽略了？！我几乎没有证书的经验.如果我使用错误的密码或pfx的错误名称启动容器，则会得到适当的错误消息。因此，在我看来，webservice应该使用正确的服务。因为我不确定是否必须在容器(443)或主机的映射端口(32555)内设置端口，所以我更改了

 ASPNETCORE_HTTPS_PORT=443

通过

ASPNETCORE_HTTPS_PORT=32555

在运行码头容器时没有成功。你能解释一下我错过了什么吗？

Answer 1

除了你自己别相信任何人。

我从原始文件中重新生成了ubuntu主机上的pfx，SSL连接正在按预期工作。

sudo openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt